{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4660", "assignerOrgId": "67fedba0-ff2e-4543-ba5b-aa93e87718cc", "state": "PUBLISHED", "assignerShortName": "HashiCorp", "dateReserved": "2026-03-23T16:07:20.700Z", "datePublished": "2026-04-09T13:47:46.953Z", "dateUpdated": "2026-04-09T14:44:55.926Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "platforms": ["64 bit", "32 bit", "x86", "ARM", "MacOS", "Windows", "Linux"], "product": "Tooling", "repo": "https://github.com/hashicorp/go-getter", "vendor": "HashiCorp", "versions": [{"lessThan": "1.8.6", "status": "affected", "version": "0", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>HashiCorp\u2019s go-getter library up to v1.8.5 may allow arbitrary file reads on the file system during certain git operations through a maliciously crafted URL. This vulnerability, CVE-2026-4660, is fixed in go-getter v1.8.6. This vulnerability does not affect the go-getter/v2 branch and package.</p><br/>"}], "value": "HashiCorp\u2019s go-getter library up to v1.8.5 may allow arbitrary file reads on the file system during certain git operations through a maliciously crafted URL. This vulnerability, CVE-2026-4660, is fixed in go-getter v1.8.6. This vulnerability does not affect the go-getter/v2 branch and package."}], "impacts": [{"capecId": "CAPEC-6", "descriptions": [{"lang": "en", "value": "CAPEC-6: Argument Injection"}]}], "metrics": [{"cvssV3_1": {"baseScore": 7.5, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "67fedba0-ff2e-4543-ba5b-aa93e87718cc", "shortName": "HashiCorp", "dateUpdated": "2026-04-09T13:47:46.953Z"}, "references": [{"url": "https://discuss.hashicorp.com/t/hcsec-2026-04-go-getter-may-allow-to-arbitrary-filesystem-reads-through-git-operations/77311"}], "source": {"advisory": "HCSEC-2026-04", "discovery": "EXTERNAL"}, "title": "Go-getter may allow to arbitrary filesystem reads through git operations"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-09T14:44:45.451609Z", "id": "CVE-2026-4660", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-09T14:44:55.926Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-4660", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-09T14:44:45.451609Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-09T14:44:52.929Z"}}], "cna": {"title": "Go-getter may allow to arbitrary filesystem reads through git operations", "source": {"advisory": "HCSEC-2026-04", "discovery": "EXTERNAL"}, "impacts": [{"capecId": "CAPEC-6", "descriptions": [{"lang": "en", "value": "CAPEC-6: Argument Injection"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "baseScore": 7.5, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/hashicorp/go-getter", "vendor": "HashiCorp", "product": "Tooling", "versions": [{"status": "affected", "version": "0", "lessThan": "1.8.6", "versionType": "semver"}], "platforms": ["64 bit", "32 bit", "x86", "ARM", "MacOS", "Windows", "Linux"], "defaultStatus": "unaffected"}], "references": [{"url": "https://discuss.hashicorp.com/t/hcsec-2026-04-go-getter-may-allow-to-arbitrary-filesystem-reads-through-git-operations/77311"}], "descriptions": [{"lang": "en", "value": "HashiCorp\u2019s go-getter library up to v1.8.5 may allow arbitrary file reads on the file system during certain git operations through a maliciously crafted URL. This vulnerability, CVE-2026-4660, is fixed in go-getter v1.8.6. This vulnerability does not affect the go-getter/v2 branch and package.", "supportingMedia": [{"type": "text/html", "value": "<p>HashiCorp\u2019s go-getter library up to v1.8.5 may allow arbitrary file reads on the file system during certain git operations through a maliciously crafted URL. This vulnerability, CVE-2026-4660, is fixed in go-getter v1.8.6. This vulnerability does not affect the go-getter/v2 branch and package.</p><br/>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-200", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"}]}], "providerMetadata": {"orgId": "67fedba0-ff2e-4543-ba5b-aa93e87718cc", "shortName": "HashiCorp", "dateUpdated": "2026-04-09T13:47:46.953Z"}}}, "cveMetadata": {"cveId": "CVE-2026-4660", "state": "PUBLISHED", "dateUpdated": "2026-04-09T14:44:55.926Z", "dateReserved": "2026-03-23T16:07:20.700Z", "assignerOrgId": "67fedba0-ff2e-4543-ba5b-aa93e87718cc", "datePublished": "2026-04-09T13:47:46.953Z", "assignerShortName": "HashiCorp"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "HashiCorp\u2019s go-getter library up to v1.8.5 may allow arbitrary file reads on the file system during certain git operations through a maliciously crafted URL. This vulnerability, CVE-2026-4660, is fixed in go-getter v1.8.6. This vulnerability does not affect the go-getter/v2 branch and package."}], "id": "CVE-2026-4660", "lastModified": "2026-04-09T14:16:32.993", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security@hashicorp.com", "type": "Secondary"}]}, "published": "2026-04-09T14:16:32.993", "references": [{"source": "security@hashicorp.com", "url": "https://discuss.hashicorp.com/t/hcsec-2026-04-go-getter-may-allow-to-arbitrary-filesystem-reads-through-git-operations/77311"}], "sourceIdentifier": "security@hashicorp.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "security@hashicorp.com", "type": "Secondary"}]}

{"bugzilla": {"description": "go-getter: go-getter: Arbitrary file reads via maliciously crafted URL", "id": "2456909", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2456909"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "status": "draft"}, "cwe": "CWE-22", "details": ["A flaw was found in the go-getter library. A remote attacker could exploit this vulnerability by providing a maliciously crafted URL during certain git operations. This could allow the attacker to perform arbitrary file reads on the file system, potentially leading to the disclosure of sensitive information."], "name": "CVE-2026-4660", "package_state": [{"cpe": "cpe:/a:redhat:hummingbird:1", "fix_state": "Affected", "package_name": "syft/syft", "product_name": "Red Hat Hardened Images"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "package_name": "redhat-user-workloads/art-images", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:trusted_artifact_signer:1", "fix_state": "Affected", "package_name": "redhat-user-workloads/cli-v06", "product_name": "Red Hat Trusted Artifact Signer"}, {"cpe": "cpe:/a:redhat:trusted_artifact_signer:1", "fix_state": "Affected", "package_name": "redhat-user-workloads/cli-v07", "product_name": "Red Hat Trusted Artifact Signer"}, {"cpe": "cpe:/a:redhat:trusted_artifact_signer:1", "fix_state": "Affected", "package_name": "redhat-user-workloads/cli-v08", "product_name": "Red Hat Trusted Artifact Signer"}], "public_date": "2026-04-09T13:47:46Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-4660\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-4660\nhttps://discuss.hashicorp.com/t/hcsec-2026-04-go-getter-may-allow-to-arbitrary-filesystem-reads-through-git-operations/77311"], "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": ["64_bit", "32_bit", "x86", "arm", "macos", "windows", "linux"], "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.8.6)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Tooling", "source": "cna", "vendor": "HashiCorp"}, "product": "tooling", "vendor": "hashicorp"}], "analysis": {"en": {"generated_at": "2026-04-09T15:50:34.255309+00:00", "value": {"mitigation_remediation": ["Update the go\u2011getter library to version 1.8.6 or later, as this release contains the patch that eliminates the arbitrary file read.", "Verify that any dependencies or wrappers around go\u2011getter in your tooling are also updated to rely on the fixed version.", "If an immediate upgrade is not feasible, restrict the set of allowed Git URLs to a trusted whitelist and validate all incoming URLs against it before invoking go\u2011getter.", "Continue to monitor HashiCorp security advisories and community forums for any additional workarounds or future patches."], "summary": {"action": "Patch Now", "impact": "Arbitrary File System Read"}, "threat_synthesis": {"affected_systems": "The vulnerability exists in all releases of HashiCorp's go\u2011getter up to and including v1.8.5. The library is commonly used across HashiCorp tooling, while the separate go\u2011getter/v2 branch is unaffected. The issue is resolved in go\u2011getter v1.8.6 and later.", "description_and_impact": "The flaw in HashiCorp\u2019s go\u2011getter library allows an attacker to read any file on the host operating system during certain Git operations. By supplying a maliciously crafted Git URL, a remote code execution vector is created that falls under CWE\u2011200, enabling confidential data disclosure such as credentials, configuration files, or private keys.", "risk_and_exploitability": "With a CVSS score of 7.5 the flaw is classified as high severity, indicating serious risk if exploited. No EPSS data is available and the vulnerability is not listed in the CISA KEV catalog, so the exact exploit likelihood is unknown. However, the attack path\u2014injecting a malicious Git URL during normal repository operations\u2014is easily achievable in any environment that uses go\u2011getter for remote fetching, making the risk considerable for exposed pieces of the code base or configuration."}}}}, "created": "2026-04-10T08:53:39.495372+00:00", "updated": "2026-04-10T09:32:50.869155+00:00", "vendors": ["hashicorp", "hashicorp$PRODUCT$tooling"]}