HashiCorp go-getter Arbitrary File Read Vulnerability (CVE-2026-4660)

HashiCorp’s go-getter library, a tool for retrieving files or directories from various sources, is susceptible to an arbitrary file read vulnerability (CVE-2026-4660) in versions up to 1.8.5. The vulnerability stems from insufficient validation of URLs during git operations, potentially allowing a malicious actor to craft a URL that, when processed by go-getter, results in the reading of arbitrary files from the system’s file system. This could lead to the exposure of sensitive data, configuration files, or credentials. The vulnerability has been patched in go-getter version 1.8.6, and the go-getter/v2 branch is not affected. This vulnerability allows for information disclosure, with a CVSS v3.1 score of 7.5.

Attack Chain

1. The attacker crafts a malicious URL designed to exploit the go-getter library’s git operation handling.
2. The attacker delivers the malicious URL to a system running a vulnerable version of go-getter (<= 1.8.5). The specific delivery mechanism is not defined in the source material.
3. The go-getter library processes the URL, attempting to retrieve files as instructed.
4. Due to insufficient URL validation, the go-getter library is tricked into accessing arbitrary files on the system.
5. The content of the accessed files is read by the go-getter library.
6. The attacker retrieves the contents of the file through the go-getter library.
7. The attacker gains access to potentially sensitive information contained within the accessed file.
8. The attacker leverages the disclosed information for further malicious activities, such as privilege escalation or lateral movement.

Impact

Successful exploitation of CVE-2026-4660 allows an attacker to read arbitrary files on the system where the vulnerable go-getter library is running. This can lead to the disclosure of sensitive information, including configuration files, credentials, source code, or other confidential data. The number of potential victims is dependent on the widespread adoption of the go-getter library across various systems and applications. The impact is significant as it allows for unauthorized access to sensitive data, potentially leading to further compromise of the affected system and network.

Recommendation

• Upgrade the go-getter library to version 1.8.6 or later to remediate CVE-2026-4660.
• Implement input validation and sanitization on URLs processed by the go-getter library, focusing on git operations to prevent similar vulnerabilities.
• Monitor network traffic for suspicious URL patterns that may indicate exploitation attempts targeting CVE-2026-4660. While no specific network IOCs are provided, generic webserver rules may be helpful.
• Deploy the Sigma rule Detect Go-Getter Arbitrary File Read Attempt to identify potential exploitation attempts based on suspicious process command-line arguments.