{ "dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": { "cveId": "CVE-2026-4660", "assignerOrgId": "67fedba0-ff2e-4543-ba5b-aa93e87718cc", "state": "PUBLISHED", "assignerShortName": "HashiCorp", "dateReserved": "2026-03-23T16:07:20.700Z", "datePublished": "2026-04-09T13:47:46.953Z", "dateUpdated": "2026-04-09T14:44:55.926Z" }, "containers": { "cna": { "affected": [ { "defaultStatus": "unaffected", "platforms": [ "64 bit", "32 bit", "x86", "ARM", "MacOS", "Windows", "Linux" ], "product": "Tooling", "repo": "https://github.com/hashicorp/go-getter", "vendor": "HashiCorp", "versions": [ { "lessThan": "1.8.6", "status": "affected", "version": "0", "versionType": "semver" } ] } ], "descriptions": [ { "lang": "en", "supportingMedia": [ { "base64": false, "type": "text/html", "value": "

HashiCorp’s go-getter library up to v1.8.5 may allow arbitrary file reads on the file system during certain git operations through a maliciously crafted URL. This vulnerability, CVE-2026-4660, is fixed in go-getter v1.8.6. This vulnerability does not affect the go-getter/v2 branch and package.


" } ], "value": "HashiCorp’s go-getter library up to v1.8.5 may allow arbitrary file reads on the file system during certain git operations through a maliciously crafted URL. This vulnerability, CVE-2026-4660, is fixed in go-getter v1.8.6. This vulnerability does not affect the go-getter/v2 branch and package." } ], "impacts": [ { "capecId": "CAPEC-6", "descriptions": [ { "lang": "en", "value": "CAPEC-6: Argument Injection" } ] } ], "metrics": [ { "cvssV3_1": { "baseScore": 7.5, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1" }, "format": "CVSS", "scenarios": [ { "lang": "en", "value": "GENERAL" } ] } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-200", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "orgId": "67fedba0-ff2e-4543-ba5b-aa93e87718cc", "shortName": "HashiCorp", "dateUpdated": "2026-04-09T13:47:46.953Z" }, "references": [ { "url": "https://discuss.hashicorp.com/t/hcsec-2026-04-go-getter-may-allow-to-arbitrary-filesystem-reads-through-git-operations/77311" } ], "source": { "advisory": "HCSEC-2026-04", "discovery": "EXTERNAL" }, "title": "Go-getter may allow to arbitrary filesystem reads through git operations" }, "adp": [ { "metrics": [ { "other": { "type": "ssvc", "content": { "timestamp": "2026-04-09T14:44:45.451609Z", "id": "CVE-2026-4660", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "version": "2.0.3" } } } ], "title": "CISA ADP Vulnrichment", "providerMetadata": { "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-09T14:44:55.926Z" } } ] } }