{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-4660/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-4660"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["cve-2026-4660","file-read","go-getter","information-disclosure"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eHashiCorp\u0026rsquo;s go-getter library, a tool for retrieving files or directories from various sources, is susceptible to an arbitrary file read vulnerability (CVE-2026-4660) in versions up to 1.8.5. The vulnerability stems from insufficient validation of URLs during git operations, potentially allowing a malicious actor to craft a URL that, when processed by go-getter, results in the reading of arbitrary files from the system\u0026rsquo;s file system. This could lead to the exposure of sensitive data, configuration files, or credentials. The vulnerability has been patched in go-getter version 1.8.6, and the go-getter/v2 branch is not affected. This vulnerability allows for information disclosure, with a CVSS v3.1 score of 7.5.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker crafts a malicious URL designed to exploit the go-getter library\u0026rsquo;s git operation handling.\u003c/li\u003e\n\u003cli\u003eThe attacker delivers the malicious URL to a system running a vulnerable version of go-getter (\u0026lt;= 1.8.5). The specific delivery mechanism is not defined in the source material.\u003c/li\u003e\n\u003cli\u003eThe go-getter library processes the URL, attempting to retrieve files as instructed.\u003c/li\u003e\n\u003cli\u003eDue to insufficient URL validation, the go-getter library is tricked into accessing arbitrary files on the system.\u003c/li\u003e\n\u003cli\u003eThe content of the accessed files is read by the go-getter library.\u003c/li\u003e\n\u003cli\u003eThe attacker retrieves the contents of the file through the go-getter library.\u003c/li\u003e\n\u003cli\u003eThe attacker gains access to potentially sensitive information contained within the accessed file.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the disclosed information for further malicious activities, such as privilege escalation or lateral movement.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-4660 allows an attacker to read arbitrary files on the system where the vulnerable go-getter library is running. This can lead to the disclosure of sensitive information, including configuration files, credentials, source code, or other confidential data. The number of potential victims is dependent on the widespread adoption of the go-getter library across various systems and applications. The impact is significant as it allows for unauthorized access to sensitive data, potentially leading to further compromise of the affected system and network.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the go-getter library to version 1.8.6 or later to remediate CVE-2026-4660.\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization on URLs processed by the go-getter library, focusing on git operations to prevent similar vulnerabilities.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for suspicious URL patterns that may indicate exploitation attempts targeting CVE-2026-4660. While no specific network IOCs are provided, generic webserver rules may be helpful.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Go-Getter Arbitrary File Read Attempt\u003c/code\u003e to identify potential exploitation attempts based on suspicious process command-line arguments.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-09T14:16:32Z","date_published":"2026-04-09T14:16:32Z","id":"/briefs/2026-04-go-getter-file-read/","summary":"HashiCorp's go-getter library up to v1.8.5 is vulnerable to arbitrary file reads on the file system during certain git operations through a maliciously crafted URL (CVE-2026-4660), potentially allowing attackers to access sensitive information.","title":"HashiCorp go-getter Arbitrary File Read Vulnerability (CVE-2026-4660)","url":"https://feed.craftedsignal.io/briefs/2026-04-go-getter-file-read/"}],"language":"en","title":"CraftedSignal Threat Feed — Cve-2026-4660","version":"https://jsonfeed.org/version/1.1"}