CVE-2026-4660

High

Published: 09 April 2026

Published

09 April 2026

Modified

13 April 2026

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS Score 0.0001 2.9th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-4660 is a high-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Hashicorp (inferred from references). Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 2.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Requires timely remediation of the flaw in go-getter up to v1.8.5 by upgrading to v1.8.6, directly preventing arbitrary file reads via malicious git URLs.

SI-10 Information Input Validation partial match

prevent

Enforces validation of git URLs processed by go-getter, mitigating exploitation through inadequate URL handling that enables filesystem reads.

RA-5 Vulnerability Monitoring and Scanning partial match

detect

Provides vulnerability scanning to identify deployments using vulnerable go-getter versions up to v1.8.5 affected by CVE-2026-4660.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1005 Data from Local System Collection

Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.

attack.mitre.org →

Why these techniques?

The vulnerability allows remote unauthenticated attackers to read arbitrary files via crafted git URLs in applications using the library, directly enabling exploitation of public-facing applications (T1190) and data collection from the local system (T1005).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

HashiCorp’s go-getter library up to v1.8.5 may allow arbitrary file reads on the file system during certain git operations through a maliciously crafted URL. This vulnerability, CVE-2026-4660, is fixed in go-getter v1.8.6. This vulnerability does not affect the go-getter/v2 branch…

and package.

Deeper analysisAI

CVE-2026-4660 affects HashiCorp's go-getter library versions up to v1.8.5, enabling arbitrary file reads on the file system during certain git operations when processing a maliciously crafted URL. Rated at CVSS 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) and mapped to CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor), the flaw arises from inadequate validation in git-related URL handling. It does not impact the go-getter/v2 branch or package.

Attackers can exploit this vulnerability remotely without authentication or user interaction by supplying a specially crafted git URL to any application or tool that uses the vulnerable go-getter library. Successful exploitation grants high-impact confidentiality violations, allowing unauthenticated remote attackers to read arbitrary files on the host system where go-getter processes the URL.

HashiCorp's advisory confirms the issue is resolved in go-getter v1.8.6, urging users of affected versions to upgrade immediately. Additional details are available in the official security announcement at https://discuss.hashicorp.com/t/hcsec-2026-04-go-getter-may-allow-to-arbitrary-filesystem-reads-through-git-operations/77311.