{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4660", "assignerOrgId": "67fedba0-ff2e-4543-ba5b-aa93e87718cc", "state": "PUBLISHED", "assignerShortName": "HashiCorp", "dateReserved": "2026-03-23T16:07:20.700Z", "datePublished": "2026-04-09T13:47:46.953Z", "dateUpdated": "2026-04-17T17:57:55.534Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "platforms": ["64 bit", "32 bit", "x86", "ARM", "MacOS", "Windows", "Linux"], "product": "Tooling", "repo": "https://github.com/hashicorp/go-getter", "vendor": "HashiCorp", "versions": [{"lessThan": "1.8.6", "status": "affected", "version": "0", "versionType": "semver"}]}], "credits": [{"lang": "en", "value": "This issue was identified by Nicholas Gould (github.com/gouldnicholas)"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>HashiCorp\u2019s go-getter library up to v1.8.5 may allow arbitrary file reads on the file system during certain git operations through a maliciously crafted URL. This vulnerability, CVE-2026-4660, is fixed in go-getter v1.8.6. This vulnerability does not affect the go-getter/v2 branch and package.</p><br/>"}], "value": "HashiCorp\u2019s go-getter library up to v1.8.5 may allow arbitrary file reads on the file system during certain git operations through a maliciously crafted URL. This vulnerability, CVE-2026-4660, is fixed in go-getter v1.8.6. This vulnerability does not affect the go-getter/v2 branch and package."}], "impacts": [{"capecId": "CAPEC-6", "descriptions": [{"lang": "en", "value": "CAPEC-6: Argument Injection"}]}], "metrics": [{"cvssV3_1": {"baseScore": 7.5, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "67fedba0-ff2e-4543-ba5b-aa93e87718cc", "shortName": "HashiCorp", "dateUpdated": "2026-04-17T17:57:55.534Z"}, "references": [{"url": "https://discuss.hashicorp.com/t/hcsec-2026-04-go-getter-may-allow-to-arbitrary-filesystem-reads-through-git-operations/77311"}], "source": {"advisory": "HCSEC-2026-04", "discovery": "EXTERNAL"}, "title": "Go-getter may allow to arbitrary filesystem reads through git operations"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-09T14:44:45.451609Z", "id": "CVE-2026-4660", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-09T14:44:55.926Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-4660", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-09T14:44:45.451609Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-09T14:44:52.929Z"}}], "cna": {"title": "Go-getter may allow to arbitrary filesystem reads through git operations", "source": {"advisory": "HCSEC-2026-04", "discovery": "EXTERNAL"}, "credits": [{"lang": "en", "value": "This issue was identified by Nicholas Gould (github.com/gouldnicholas)"}], "impacts": [{"capecId": "CAPEC-6", "descriptions": [{"lang": "en", "value": "CAPEC-6: Argument Injection"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "baseScore": 7.5, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/hashicorp/go-getter", "vendor": "HashiCorp", "product": "Tooling", "versions": [{"status": "affected", "version": "0", "lessThan": "1.8.6", "versionType": "semver"}], "platforms": ["64 bit", "32 bit", "x86", "ARM", "MacOS", "Windows", "Linux"], "defaultStatus": "unaffected"}], "references": [{"url": "https://discuss.hashicorp.com/t/hcsec-2026-04-go-getter-may-allow-to-arbitrary-filesystem-reads-through-git-operations/77311"}], "descriptions": [{"lang": "en", "value": "HashiCorp\u2019s go-getter library up to v1.8.5 may allow arbitrary file reads on the file system during certain git operations through a maliciously crafted URL. This vulnerability, CVE-2026-4660, is fixed in go-getter v1.8.6. This vulnerability does not affect the go-getter/v2 branch and package.", "supportingMedia": [{"type": "text/html", "value": "<p>HashiCorp\u2019s go-getter library up to v1.8.5 may allow arbitrary file reads on the file system during certain git operations through a maliciously crafted URL. This vulnerability, CVE-2026-4660, is fixed in go-getter v1.8.6. This vulnerability does not affect the go-getter/v2 branch and package.</p><br/>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-200", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"}]}], "providerMetadata": {"orgId": "67fedba0-ff2e-4543-ba5b-aa93e87718cc", "shortName": "HashiCorp", "dateUpdated": "2026-04-17T17:57:55.534Z"}}}, "cveMetadata": {"cveId": "CVE-2026-4660", "state": "PUBLISHED", "dateUpdated": "2026-04-17T17:57:55.534Z", "dateReserved": "2026-03-23T16:07:20.700Z", "assignerOrgId": "67fedba0-ff2e-4543-ba5b-aa93e87718cc", "datePublished": "2026-04-09T13:47:46.953Z", "assignerShortName": "HashiCorp"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "HashiCorp\u2019s go-getter library up to v1.8.5 may allow arbitrary file reads on the file system during certain git operations through a maliciously crafted URL. This vulnerability, CVE-2026-4660, is fixed in go-getter v1.8.6. This vulnerability does not affect the go-getter/v2 branch and package."}], "id": "CVE-2026-4660", "lastModified": "2026-04-13T15:02:47.353", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security@hashicorp.com", "type": "Secondary"}]}, "published": "2026-04-09T14:16:32.993", "references": [{"source": "security@hashicorp.com", "url": "https://discuss.hashicorp.com/t/hcsec-2026-04-go-getter-may-allow-to-arbitrary-filesystem-reads-through-git-operations/77311"}], "sourceIdentifier": "security@hashicorp.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "security@hashicorp.com", "type": "Secondary"}]}

{"bugzilla": {"description": "go-getter: go-getter: Arbitrary file reads via maliciously crafted URL", "id": "2456909", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2456909"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "status": "draft"}, "cwe": "CWE-22", "details": ["A flaw was found in the go-getter library. A remote attacker could exploit this vulnerability by providing a maliciously crafted URL during certain git operations. This could allow the attacker to perform arbitrary file reads on the file system, potentially leading to the disclosure of sensitive information."], "name": "CVE-2026-4660", "package_state": [{"cpe": "cpe:/a:redhat:hummingbird:1", "fix_state": "Affected", "package_name": "syft/syft", "product_name": "Red Hat Hardened Images"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "package_name": "redhat-user-workloads/art-images", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:trusted_artifact_signer:1", "fix_state": "Affected", "package_name": "redhat-user-workloads/cli-v06", "product_name": "Red Hat Trusted Artifact Signer"}, {"cpe": "cpe:/a:redhat:trusted_artifact_signer:1", "fix_state": "Affected", "package_name": "redhat-user-workloads/cli-v07", "product_name": "Red Hat Trusted Artifact Signer"}, {"cpe": "cpe:/a:redhat:trusted_artifact_signer:1", "fix_state": "Affected", "package_name": "redhat-user-workloads/cli-v08", "product_name": "Red Hat Trusted Artifact Signer"}], "public_date": "2026-04-09T13:47:46Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-4660\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-4660\nhttps://discuss.hashicorp.com/t/hcsec-2026-04-go-getter-may-allow-to-arbitrary-filesystem-reads-through-git-operations/77311"], "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": ["64_bit", "32_bit", "x86", "arm", "macos", "windows", "linux"], "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.8.6)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Tooling", "source": "cna", "vendor": "HashiCorp"}, "product": "tooling", "vendor": "hashicorp"}], "analysis": {"en": {"generated_at": "2026-04-10T13:24:44.056944+00:00", "value": {"mitigation_remediation": ["Upgrade HashiCorp go\u2011getter to version 1.8.6 or later", "Verify that all tooling components use the upgraded library version", "Limit git operations to trusted sources or disable external git access when feasible", "Monitor for unexpected file\u2011system access or anomalous git activity", "Apply regular dependency updates as per best practice"], "summary": {"action": "Immediate Patch", "impact": "Arbitrary file system read via malicious git URL"}, "threat_synthesis": {"affected_systems": "Affected systems include any HashiCorp tooling that uses go\u2011getter up to and including v1.8.5, such as HashiCorp infrastructure automation products that import modules or plugins via git. The vulnerability does not affect the go\u2011getter/v2 package, nor versions 1.8.6 and later, which are already patched.", "description_and_impact": "The vulnerability resides in HashiCorp\u2019s go\u2011getter library version 1.8.5 and earlier. A specially crafted git URL can cause the library to resolve paths that lead outside the intended repository, allowing the caller to read arbitrary files on the host file system. Attackers could thus obtain sensitive configuration files or secrets, resulting in accidental disclosure of confidential data. The weakness is reflected by CWE\u2011200 (Information Exposure) and CWE\u201122 (Path Traversal).", "risk_and_exploitability": "The CVSS score of 7.5 indicates a medium\u2011to\u2011high severity, while the lack of an EPSS score suggests insufficient public exploitation data. The issue is not yet listed in CISA\u2019s KEV catalog. The exploit would require the attacker to supply a malicious git URL; thus, attackers could target assets during provisioning or module fetch operations. The path traversal is not provided by a web interface by default, implying that the attack vector is likely restricted to automated or scripted Git operations, potentially through supply\u2011chain manipulation or social engineering."}}}}, "created": "2026-04-10T08:53:39.495372+00:00", "updated": "2026-04-13T13:06:55.744290+00:00", "vendors": ["hashicorp", "hashicorp$PRODUCT$tooling"]}