CVE-2026-4660
published 2026-04-09CVE-2026-4660: HashiCorp’s go-getter library up to v1.8.5 may allow arbitrary file reads on the file system during certain git operations through a maliciously crafted URL…
PriorityP346high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EPSS
0.58%
43.5th percentile
HashiCorp’s go-getter library up to v1.8.5 may allow arbitrary file reads on the file system during certain git operations through a maliciously crafted URL. This vulnerability, CVE-2026-4660, is fixed in go-getter v1.8.6. This vulnerability does not affect the go-getter/v2 branch and package.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | hashicorp_go-getter | >= 0 < 1.8.6 | 1.8.6 |
| github.com | opentofu_opentofu | >= 0 < 1.11.10 | 1.11.10 |
| github.com | opentofu_opentofu | >= 1.12.0-beta1 < 1.12.3 | 1.12.3 |
| hashicorp | tooling | < 1.8.6 | 1.8.6 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
ghsa7.5HIGH
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
OpenTofu: Possible arbitrary file read during certain git operations via a maliciously crafted URL
ghsa·2026-06-19·CVSS 7.5
CVE-2026-4660 [HIGH] CWE-1395 OpenTofu: Possible arbitrary file read during certain git operations via a maliciously crafted URL
OpenTofu: Possible arbitrary file read during certain git operations via a maliciously crafted URL
### Impact
Possible data exposure.
#### Summary
While downloading packages from a maliciously crafted URL, some git operations against that URL could allow arbitrary file read.
This might allow disclosure of confidential information.
#### Details
OpenTofu relies on [go-getter](https://github.com/hashicorp/go-getter) for downloading packages like providers and modules. While doing so from a maliciously crafted URL, the operator could be affected by confidential information disclosure.
The go-getter maintainers have recently published [CVE-2026-4660](https://github.com/advisories/GHSA-92mm-2pjq-r785) for this library which indirectly affects OpenTofu's behavior.
Typical use of OpenTofu alre
GHSA
GHSA-92mm-2pjq-r785: HashiCorp’s go-getter library up to v1
ghsa_unreviewed·2026-04-09·CVSS 7.5
CVE-2026-4660 [HIGH] CWE-200 GHSA-92mm-2pjq-r785: HashiCorp’s go-getter library up to v1
HashiCorp’s go-getter library up to v1.8.5 may allow arbitrary file reads on the file system during certain git operations through a maliciously crafted URL. This vulnerability, CVE-2026-4660, is fixed in go-getter v1.8.6. This vulnerability does not affect the go-getter/v2 branch and package.
GHSA
HashiCorp's go-getter library may allow arbitrary file reads
ghsa·2026-04-09
CVE-2026-4660 [HIGH] CWE-200 HashiCorp's go-getter library may allow arbitrary file reads
HashiCorp's go-getter library may allow arbitrary file reads
HashiCorp's go-getter library up to v1.8.5 may allow arbitrary file reads on the file system during certain git operations through a maliciously crafted URL. This is fixed in go-getter v1.8.6. This vulnerability does not affect the go-getter/v2 branch and package.
Red Hat
go-getter: go-getter: Arbitrary file reads via maliciously crafted URL
vendor_redhat·2026-04-09·CVSS 7.5
CVE-2026-4660 [HIGH] CWE-22 go-getter: go-getter: Arbitrary file reads via maliciously crafted URL
go-getter: go-getter: Arbitrary file reads via maliciously crafted URL
A flaw was found in the go-getter library. A remote attacker could exploit this vulnerability by providing a maliciously crafted URL during certain git operations. This could allow the attacker to perform arbitrary file reads on the file system, potentially leading to the disclosure of sensitive information.
Package: syft/syft (Red Hat Hardened Images) - Affected
Package: redhat-user-workloads/art-images (Red Hat OpenShift Container Platform 4) - Affected
Package: redhat-user-workloads/cli-v06 (Red Hat Trusted Artifact Signer) - Affected
Package: redhat-user-workloads/cli-v07 (Red Hat Trusted Artifact Signer) - Affected
Package: redhat-user-workloads/cli-v08 (Red Hat Trusted Artifact Signer) - Affected
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-4660 golang-github-task: go-getter: Arbitrary file reads via maliciously crafted URL [fedora-all]
bugzilla·2026-04-10·CVSS 7.5
CVE-2026-4660 [HIGH] CVE-2026-4660 golang-github-task: go-getter: Arbitrary file reads via maliciously crafted URL [fedora-all]
CVE-2026-4660 golang-github-task: go-getter: Arbitrary file reads via maliciously crafted URL [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-4660 trivy: go-getter: Arbitrary file reads via maliciously crafted URL [fedora-all]
bugzilla·2026-04-10·CVSS 7.5
CVE-2026-4660 [HIGH] CVE-2026-4660 trivy: go-getter: Arbitrary file reads via maliciously crafted URL [fedora-all]
CVE-2026-4660 trivy: go-getter: Arbitrary file reads via maliciously crafted URL [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-4660 trivy: go-getter: Arbitrary file reads via maliciously crafted URL [epel-all]
bugzilla·2026-04-10·CVSS 7.5
CVE-2026-4660 [HIGH] CVE-2026-4660 trivy: go-getter: Arbitrary file reads via maliciously crafted URL [epel-all]
CVE-2026-4660 trivy: go-getter: Arbitrary file reads via maliciously crafted URL [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-4660 k9s: go-getter: Arbitrary file reads via maliciously crafted URL [fedora-all]
bugzilla·2026-04-10·CVSS 7.5
CVE-2026-4660 [HIGH] CVE-2026-4660 k9s: go-getter: Arbitrary file reads via maliciously crafted URL [fedora-all]
CVE-2026-4660 k9s: go-getter: Arbitrary file reads via maliciously crafted URL [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-4660 opentofu: go-getter: Arbitrary file reads via maliciously crafted URL [fedora-all]
bugzilla·2026-04-10·CVSS 7.5
CVE-2026-4660 [HIGH] CVE-2026-4660 opentofu: go-getter: Arbitrary file reads via maliciously crafted URL [fedora-all]
CVE-2026-4660 opentofu: go-getter: Arbitrary file reads via maliciously crafted URL [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-4660 vagrant: go-getter: Arbitrary file reads via maliciously crafted URL [fedora-all]
bugzilla·2026-04-10·CVSS 7.5
CVE-2026-4660 [HIGH] CVE-2026-4660 vagrant: go-getter: Arbitrary file reads via maliciously crafted URL [fedora-all]
CVE-2026-4660 vagrant: go-getter: Arbitrary file reads via maliciously crafted URL [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
Vagrant does not ship any Golang bits
Bugzilla
CVE-2026-4660 go-getter: go-getter: Arbitrary file reads via maliciously crafted URL
bugzilla·2026-04-09·CVSS 7.5
CVE-2026-4660 [HIGH] CVE-2026-4660 go-getter: go-getter: Arbitrary file reads via maliciously crafted URL
CVE-2026-4660 go-getter: go-getter: Arbitrary file reads via maliciously crafted URL
HashiCorp’s go-getter library up to v1.8.5 may allow arbitrary file reads on the file system during certain git operations through a maliciously crafted URL. This vulnerability, CVE-2026-4660, is fixed in go-getter v1.8.6. This vulnerability does not affect the go-getter/v2 branch and package.
Wiz
CVE-2026-4660 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.0
CVE-2026-4660 [CRITICAL] CVE-2026-4660 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-4660 :
Linux Debian vulnerability analysis and mitigation
HashiCorp’s go-getter library up to v1.8.5 may allow arbitrary file reads on the file system during certain git operations through a maliciously crafted URL. This vulnerability, CVE-2026-4660, is fixed in go-getter v1.8.6. This vulnerability does not affect the go-getter/v2 branch and package.
Source : NVD
## 7.5
Score
Published April 9, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
Linux Debian
Echo
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) N/A
Exploitation Probability (EPSS) N/A
Affected packages and libraries
golang-github-hashicorp-go-getter
Sources
NVD
Debian 11, 12 Severity HIGH No Fix Add
https://discuss.hashicorp.com/t/hcsec-2026-04-go-getter-may-allow-to-arbitrary-filesystem-reads-through-git-operations/77311https://access.redhat.com/errata/RHSA-2026:24478https://access.redhat.com/security/cve/CVE-2026-4660https://bugzilla.redhat.com/show_bug.cgi?id=2456909https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-4660.json
2026-04-09
Published