CVE-2026-4660 Overview
HashiCorp's go-getter library up to version v1.8.5 contains an information exposure vulnerability that may allow arbitrary file reads on the file system during certain git operations through a maliciously crafted URL. This vulnerability enables attackers to read sensitive files from the system without proper authorization, potentially exposing configuration files, credentials, and other confidential data.
Critical Impact
Attackers can leverage maliciously crafted URLs during git operations to read arbitrary files from the filesystem, potentially exposing sensitive configuration data, secrets, and credentials stored on affected systems.
Affected Products
- HashiCorp go-getter library versions up to and including v1.8.5
- Applications and infrastructure tools that depend on the vulnerable go-getter v1 branch
- HashiCorp products utilizing the affected go-getter library versions
Discovery Timeline
- 2026-04-09 - CVE-2026-4660 published to NVD
- 2026-04-09 - Last updated in NVD database
Technical Details for CVE-2026-4660
Vulnerability Analysis
This vulnerability is classified as CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). The go-getter library is widely used within the HashiCorp ecosystem and by various third-party applications for downloading files and modules from various sources, including git repositories. The vulnerability specifically manifests during git operations when processing URLs.
When a maliciously crafted URL is passed to the go-getter library during git operations, the library fails to properly validate and sanitize the input, allowing an attacker to traverse the filesystem and read arbitrary files. This is particularly dangerous in environments where go-getter processes untrusted user input or external configuration data.
Root Cause
The root cause stems from insufficient input validation in the URL parsing and handling logic within the go-getter library's git getter implementation. When processing git URLs, the library does not adequately sanitize path components, allowing path traversal sequences or specially crafted URL schemes to escape the intended directory scope and access arbitrary files on the filesystem.
Attack Vector
The attack can be executed remotely over the network without requiring authentication or user interaction. An attacker needs to supply a maliciously crafted URL to an application or service that uses the vulnerable go-getter library for git operations. This could occur in various scenarios:
The attacker crafts a malicious URL that exploits the path handling weakness in go-getter's git operations. When an application using the vulnerable library attempts to fetch resources using this URL, the library inadvertently reads files from outside the intended directory scope. The attack requires network access to deliver the malicious URL to a vulnerable application, but does not require any privileges on the target system.
For detailed technical information about the vulnerability mechanism, refer to the HashiCorp Security Advisory HCSEC-2026-04.
Detection Methods for CVE-2026-4660
Indicators of Compromise
- Unusual file access patterns in application logs, particularly reads of system files like /etc/passwd, /etc/shadow, or application configuration files
- Git operations with suspicious or malformed URLs containing path traversal sequences
- Error messages indicating failed attempts to access files outside expected directories
- Application crashes or unexpected behavior during git-based fetch operations
Detection Strategies
- Monitor application logs for git operations with unusual URL patterns or path traversal attempts
- Implement file integrity monitoring on sensitive configuration files and directories
- Deploy network intrusion detection rules to identify malicious URL patterns targeting go-getter
- Audit dependency versions across your infrastructure to identify applications using vulnerable go-getter versions
Monitoring Recommendations
- Enable verbose logging for applications using go-getter to capture detailed information about file operations
- Set up alerts for access attempts on sensitive system files from application contexts
- Implement centralized log collection to correlate potential exploitation attempts across multiple systems
- Monitor for unusual outbound data transfers that could indicate successful file exfiltration
How to Mitigate CVE-2026-4660
Immediate Actions Required
- Upgrade go-getter to version v1.8.6 or later immediately across all affected applications
- Consider migrating to the go-getter/v2 branch which is not affected by this vulnerability
- Audit all applications and infrastructure components that depend on go-getter to identify vulnerable instances
- Review and restrict file system permissions for applications using go-getter to limit potential exposure
Patch Information
HashiCorp has released go-getter version v1.8.6 which addresses this vulnerability. The fix implements proper validation and sanitization of URLs during git operations to prevent path traversal and arbitrary file access. Organizations should update their go-getter dependency to this version or later. Note that the go-getter/v2 branch and package are not affected by this vulnerability.
For complete patch details, see the HashiCorp Security Advisory HCSEC-2026-04.
Workarounds
- Implement strict input validation on any URLs passed to go-getter before processing
- Use network segmentation to limit the attack surface of applications using go-getter
- Deploy application-level firewalls or WAF rules to filter malicious URL patterns
- Run applications using go-getter with minimal filesystem permissions using principle of least privilege
# Update go-getter dependency to patched version
go get github.com/hashicorp/go-getter@v1.8.6
# Verify the updated version
go list -m github.com/hashicorp/go-getter
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
