CVE-2026-4660: Go-getter may allow to arbitrary filesystem reads through git operations
HashiCorp’s go-getter library up to v1.8.5 may allow arbitrary file reads on the file system during certain git operations through a maliciously crafted URL. This vulnerability, CVE-2026-4660, is fixed in go-getter v1.8.6. This vulnerability does not affect the go-getter/v2 branch and package.
Security readout for executives and security teams
Plain-English summary
CVE-2026-4660 is a high-severity information disclosure flaw in HashiCorp go-getter. A malicious URL used in certain git operations may let an attacker read files from the affected system. The confirmed fix is go-getter v1.8.6; go-getter/v2 is stated as unaffected.
Executive priority
Prioritize remediation where internet-facing workflows accept repository or module URLs. The issue is confidentiality-focused, but arbitrary file reads can expose secrets, tokens, or configuration files that enable wider compromise.
Technical view
HashiCorp go-getter through v1.8.5 may allow arbitrary filesystem reads via crafted URLs during some git operations. The CVSS 3.1 score is 7.5, reflecting network reachability, low complexity, no privileges, no user interaction, and high confidentiality impact only.
Likely exposure
Exposure is most likely where software imports go-getter v1.x through v1.8.5 and accepts untrusted or user-controlled git source URLs. Systems using go-getter/v2 are not affected per the source bundle.
Exploitation context
The provided sources do not show CISA KEV listing or active exploitation. Exploitation status should be treated as unconfirmed. Risk is driven by confidentiality impact if crafted URLs reach vulnerable git retrieval paths.
Researcher notes
The bundle does not include detailed root-cause mechanics, proof-of-concept material, or complete downstream product impact. Keep analysis scoped to go-getter v1.x through v1.8.5, crafted URLs, and git operations unless vendor advisories add detail.
Mitigation direction
Upgrade HashiCorp go-getter v1.x to v1.8.6 or later.
Confirm go-getter/v2 users are actually importing the unaffected v2 package.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · medium confidence lookup
CWE-200: Information exposure and cloud metadata lookup
Information exposure and SSRF weaknesses can make discovery, cloud metadata, and credential material review relevant. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
File traversal and upload weaknesses can lead teams to review file, web shell, execution, and collection telemetry. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
The CVE wording references file access or upload behavior, so file telemetry and web shell review may help. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.