2456909 – (CVE-2026-4660) CVE-2026-4660 go-getter: go-getter: Arbitrary file reads via maliciously crafted URL

Bug 2456909 (CVE-2026-4660) - CVE-2026-4660 go-getter: go-getter: Arbitrary file reads via maliciously crafted URL

Summary: CVE-2026-4660 go-getter: go-getter: Arbitrary file reads via maliciously craf...

Keywords:
Status:	NEW
Alias:	CVE-2026-4660
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2457269 2457270 2457271 2457272 2457273 2457268
Blocks:
TreeView+	depends on / blocked

Reported:	2026-04-09 15:01 UTC by OSIDB Bzimport
Modified:	2026-04-10 10:13 UTC (History)
CC List:	9 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-04-09 15:01:56 UTC

HashiCorp’s go-getter library up to v1.8.5 may allow arbitrary file reads on the file system during certain git operations through a maliciously crafted URL. This vulnerability, CVE-2026-4660, is fixed in go-getter v1.8.6. This vulnerability does not affect the go-getter/v2 branch and package.

Note You need to log in before you can comment on or make changes to this bug.