PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-4660 HashiCorp CVE debrief

CVE-2026-4660 is a vulnerability in HashiCorp's go-getter library up to version 1.8.5 that may allow arbitrary file reads on the file system during certain git operations through a maliciously crafted URL. The vulnerability is fixed in go-getter version 1.8.6. This vulnerability does not affect the go-getter/v2 branch and package. The CVSS score for this vulnerability is 7.5, indicating a high severity. The vulnerability was published on April 9, 2026, and last modified on June 30, 2026.

Vendor
HashiCorp
Product
Tooling
CVSS
HIGH 7.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-04-09
Original CVE updated
2026-06-30
Advisory published
2026-04-09
Advisory updated
2026-06-30

Who should care

Users of HashiCorp's go-getter library up to version 1.8.5 should be aware of this vulnerability and take steps to mitigate it. This includes upgrading to version 1.8.6 or later, and being cautious when using git operations with untrusted URLs. Organizations using the affected library should prioritize patching and monitoring for potential exploitation.

Technical summary

The go-getter library is used for retrieving files and directories from various sources, including git repositories. The vulnerability, CVE-2026-4660, allows an attacker to craft a malicious URL that can read arbitrary files on the file system during certain git operations. This is possible due to a lack of proper validation and sanitization of user-input URLs. The vulnerability has a CVSS score of 7.5, indicating a high severity. The vulnerability is fixed in go-getter version 1.8.6.

Defensive priority

High priority should be given to patching and mitigating this vulnerability, as it has a high CVSS score and could potentially be used to read sensitive files on the file system. Organizations should prioritize upgrading to version 1.8.6 or later, and be cautious when using git operations with untrusted URLs.

Recommended defensive actions

  • Upgrade to go-getter version 1.8.6 or later
  • Be cautious when using git operations with untrusted URLs
  • Monitor for potential exploitation and anomalous activity
  • Implement compensating controls, such as restricting access to sensitive files and directories
  • Perform thorough inventory checks to identify affected systems and prioritize patching

Evidence notes

The evidence for this vulnerability comes from the HashiCorp discussion forum, Red Hat errata, and NVD details. The vulnerability was published on April 9, 2026, and last modified on June 30, 2026. The CVSS score for this vulnerability is 7.5, indicating a high severity.

Official resources

This article is AI-assisted and based on the supplied source corpus.