Arbitrary File Read Vulnerability in HashiCorp's go-getter Library
CVE-2026-4660

7.5HIGH

Key Information:

Vendor: Hashicorp
Status: Tooling
Vendor: CVE Published:; 9 April 2026

What is CVE-2026-4660?

The go-getter library developed by HashiCorp is susceptible to an arbitrary file read vulnerability during specific git operations. This occurs when users encounter maliciously crafted URLs, potentially leading to unauthorized access to the file system. The issue has been addressed in version 1.8.6, and users of earlier versions are encouraged to upgrade to mitigate associated risks. Importantly, the vulnerability does not extend to the go-getter/v2 branch and package, which remains unaffected.

Affected Version(s)

Tooling 64 bit 0 < 1.8.6

References

https://discuss.hashicorp.com/t/hcsec-2026-04-go-getter-m...

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 9, 2026
Vulnerability Reserved
Mar 23, 2026

CVE-2026-4660 Data

JSON

Hashicorp

What is CVE-2026-4660?

Affected Version(s)

References

CVSS V3.1

Timeline