Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Primary rating from Vendor (HashiCorp).
CVSS VectorVendor: HashiCorp
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
4DescriptionCVE.org
HashiCorp’s go-getter library up to v1.8.5 may allow arbitrary file reads on the file system during certain git operations through a maliciously crafted URL. This vulnerability, CVE-2026-4660, is fixed in go-getter v1.8.6. This vulnerability does not affect the go-getter/v2 branch and package.
AnalysisAI
Arbitrary file read vulnerability in HashiCorp go-getter library versions up to 1.8.5 enables unauthenticated remote attackers to access sensitive files from the target filesystem through specially crafted git operation URLs. The vulnerability permits confidentiality breach without authentication requirements, affecting network-accessible services utilizing the library for repository cloning or fetching operations. Fixed in version 1.8.6; go-getter/v2 branch unaffected. No public exploit identified at time of analysis.
Technical ContextAI
Path traversal flaw (CWE-200) in git URL processing logic permits file system access beyond intended repository boundaries. Malicious URL parameters during git clone/fetch operations bypass input sanitization, enabling read access to arbitrary files accessible to the application process. Root cause stems from insufficient validation of user-supplied git references before filesystem operations.
RemediationAI
Vendor-released patch: upgrade go-getter library to version 1.8.6 or later immediately. Update Go module dependencies via 'go get -u github.com/hashicorp/go-getter@v1.8.6' and verify go.mod reflects patched version. For applications unable to upgrade immediately, migrate to go-getter/v2 branch which is not affected by this vulnerability. Organizations should audit all projects for go-getter dependencies and prioritize updates for internet-facing services. Detailed vendor security bulletin available at https://discuss.hashicorp.com/t/hcsec-2026-04-go-getter-may-allow-to-arbitrary-filesystem-reads-through-git-operations/77311. No effective workaround exists for v1 branch without upgrading; restrict network access to services using vulnerable versions until patched.
Same weakness CWE-200 – Information Exposure
View allSame technique Information Disclosure
View allVendor StatusVendor
SUSE
Severity: Important| Product | Status |
|---|---|
| SUSE Linux Enterprise Module for Package Hub 15 SP5 | Affected |
| SUSE Linux Enterprise Module for Package Hub 15 SP6 | Affected |
| openSUSE Leap 15.5 | Affected |
| openSUSE Leap 15.6 | Affected |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20894
GHSA-92mm-2pjq-r785