Cyber Resilience

CVE-2026-4660

High

Published: 09 April 2026

Published
09 April 2026
Modified
13 April 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0002 3.7th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-4660 is a high-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Hashicorp (inferred from references). Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 3.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).

Deeper analysis

CVE-2026-4660 affects HashiCorp's go-getter library versions up to v1.8.5, enabling arbitrary file reads on the file system during certain git operations when processing a maliciously crafted URL. Rated at CVSS 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) and mapped to CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor), the flaw arises from inadequate validation in git-related URL handling. It does not impact the go-getter/v2 branch or package.

Attackers can exploit this vulnerability remotely without authentication or user interaction by supplying a specially crafted git URL to any application or tool that uses the vulnerable go-getter library. Successful exploitation grants high-impact confidentiality violations, allowing unauthenticated remote attackers to read arbitrary files on the host system where go-getter processes the URL.

HashiCorp's advisory confirms the issue is resolved in go-getter v1.8.6, urging users of affected versions to upgrade immediately. Additional details are available in the official security announcement at https://discuss.hashicorp.com/t/hcsec-2026-04-go-getter-may-allow-to-arbitrary-filesystem-reads-through-git-operations/77311.

EU & UK References

Vulnerability details

HashiCorp’s go-getter library up to v1.8.5 may allow arbitrary file reads on the file system during certain git operations through a maliciously crafted URL. This vulnerability, CVE-2026-4660, is fixed in go-getter v1.8.6. This vulnerability does not affect the go-getter/v2 branch…

more

and package.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
Why these techniques?

The vulnerability allows remote unauthenticated attackers to read arbitrary files via crafted git URLs in applications using the library, directly enabling exploitation of public-facing applications (T1190) and data collection from the local system (T1005).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-22973Shared CWE-200
CVE-2024-43707Shared CWE-200
CVE-2024-13606Shared CWE-200
CVE-2024-13622Shared CWE-200
CVE-2024-13611Shared CWE-200
CVE-2024-13600Shared CWE-200
CVE-2024-55272Shared CWE-200
CVE-2025-26167Shared CWE-200
CVE-2024-13568Shared CWE-200
CVE-2024-13638Shared CWE-200

Affected Assets

Hashicorp
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely remediation of the flaw in go-getter up to v1.8.5 by upgrading to v1.8.6, directly preventing arbitrary file reads via malicious git URLs.

prevent

Enforces validation of git URLs processed by go-getter, mitigating exploitation through inadequate URL handling that enables filesystem reads.

detect

Provides vulnerability scanning to identify deployments using vulnerable go-getter versions up to v1.8.5 affected by CVE-2026-4660.

References