Hashicorp Tooling vulnerabilities

CVE-2026-4660 [HIGH] CWE-200 CVE-2026-4660: HashiCorp’s go-getter library up to v1.8.5 may allow arbitrary file reads on the file system during HashiCorp’s go-getter library up to v1.8.5 may allow arbitrary file reads on the file system during certain git operations through a maliciously crafted URL. This vulnerability, CVE-2026-4660, is fixed in go-getter v1.8.6. This vulnerability does not affect the go-getter/v2 branch and package.

CVE-2025-13357 [CRITICAL] CWE-1188 CVE-2025-13357: Vault’s Terraform Provider incorrectly set the default deny_null_bind parameter for the LDAP auth me Vault’s Terraform Provider incorrectly set the default deny_null_bind parameter for the LDAP auth method to false by default, potentially resulting in an insecure configuration. If the underlying LDAP server allowed anonymous or unauthenticated binds, this could result in authentication bypass. This vulnerability, CVE-2025-13357, is fixed in Vaul

CVE-2025-1293 [HIGH] CWE-1390 CVE-2025-1293: Hermes versions up to 0.4.0 improperly validated the JWT provided when using the AWS ALB authenticat Hermes versions up to 0.4.0 improperly validated the JWT provided when using the AWS ALB authentication mode, potentially allowing for authentication bypass. This vulnerability, CVE-2025-1293, was fixed in Hermes 0.5.0.