HashiCorp go-getter v1.8.5 Arbitrary File Read via Git URL
CVE-2026-4660 Published on April 9, 2026

Go-getter may allow to arbitrary filesystem reads through git operations
HashiCorps go-getter library up to v1.8.5 may allow arbitrary file reads on the file system during certain git operations through a maliciously crafted URL. This vulnerability, CVE-2026-4660, is fixed in go-getter v1.8.6. This vulnerability does not affect the go-getter/v2 branch and package.

NVD

Weakness Type

What is an Information Disclosure Vulnerability?

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

CVE-2026-4660 has been classified to as an Information Disclosure vulnerability or weakness.

Affected Versions

HashiCorp Tooling:

Before 1.8.6 is affected.

Exploit Probability

EPSS

0.03%

Percentile

8.71%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.

HashiCorp go-getter v1.8.5 Arbitrary File Read via Git URLCVE-2026-4660 Published on April 9, 2026

Weakness Type

What is an Information Disclosure Vulnerability?

Affected Versions

Exploit Probability

HashiCorp go-getter v1.8.5 Arbitrary File Read via Git URL
CVE-2026-4660 Published on April 9, 2026