Bulletin ID: HCSEC-2026-04
Affected Products / Versions: go-getter up to 1.8.5; fixed in 1.8.6.
Publication Date: April 9, 2026
Summary
HashiCorp’s go-getter library up to v1.8.5 may allow arbitrary file reads on the file system during certain git operations through a maliciously crafted URL. This vulnerability, CVE-2026-4660, is fixed in go-getter v1.8.6. This vulnerability does not affect the go-getter/v2 branch and package.
Background
HashiCorp’s go-getter is a Go library for downloading files or directories from various sources, using a URL as the primary form of input.
Details
If a Git reference is not passed along with the Git URL, go-getter will then try to check the remote repository’s HEAD reference of its default branch by passing arguments to the Git binary on the host it is executing on. An attacker may format a Git URL in order to inject additional Git arguments during checkout operations.
Remediation
Consumers of the go-getter library should evaluate the risk associated with these issues in the context of their go-getter usage and upgrade go-getter to 1.8.6 or later. The latest go-getter releases can be found at https://github.com/hashicorp/go-getter/releases.
Acknowledgement
This issue was identified by Nicholas Gould, who reported it to HashiCorp.
We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see https://hashicorp.com/security.