GHSA-Q7J3-V8QV-22VQ
Vulnerability from github – Published: 2026-06-19 16:35 – Updated: 2026-06-19 16:35Impact
Possible data exposure.
Summary
While downloading packages from a maliciously crafted URL, some git operations against that URL could allow arbitrary file read. This might allow disclosure of confidential information.
Details
OpenTofu relies on go-getter for downloading packages like providers and modules. While doing so from a maliciously crafted URL, the operator could be affected by confidential information disclosure.
The go-getter maintainers have recently published CVE-2026-4660 for this library which indirectly affects OpenTofu's behavior.
Typical use of OpenTofu already requires caution in selection of URLs that are used to download modules and providers.
Patches
OpenTofu v1.11.10 and v1.12.3 address these vulnerabilities by upgrading to the hashicorp/go-getter@v1.8.6 that fixes this vulnerability.
The OpenTofu v1.10 series is also impacted by these vulnerabilities. However, that series is built with an older version of the library and upgrading it risks breaking the whole v1.10 series. For those using OpenTofu v1.10 releases, we recommend planning an upgrade to OpenTofu v1.11.10 in the near future.
References
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/opentofu/opentofu"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.11.10"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/opentofu/opentofu"
},
"ranges": [
{
"events": [
{
"introduced": "1.12.0-beta1"
},
{
"fixed": "1.12.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-1395"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-19T16:35:09Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Impact\nPossible data exposure.\n#### Summary\nWhile downloading packages from a maliciously crafted URL, some git operations against that URL could allow arbitrary file read.\nThis might allow disclosure of confidential information.\n\n#### Details\nOpenTofu relies on [go-getter](https://github.com/hashicorp/go-getter) for downloading packages like providers and modules. While doing so from a maliciously crafted URL, the operator could be affected by confidential information disclosure. \n\nThe go-getter maintainers have recently published [CVE-2026-4660](https://github.com/advisories/GHSA-92mm-2pjq-r785) for this library which indirectly affects OpenTofu\u0027s behavior.\n\nTypical use of OpenTofu already requires caution in selection of URLs that are used to download modules and providers.\n\n### Patches\nOpenTofu v1.11.10 and v1.12.3 address these vulnerabilities by upgrading to the [hashicorp/go-getter@v1.8.6](https://github.com/hashicorp/go-getter/releases/tag/v1.8.6) that fixes this vulnerability.\n\nThe OpenTofu v1.10 series is also impacted by these vulnerabilities. However, that series is built with an older version of the library and upgrading it risks breaking the whole v1.10 series. \nFor those using OpenTofu v1.10 releases, we recommend planning an upgrade to OpenTofu v1.11.10 in the near future.\n\n### References\n* [Initial report](https://github.com/opentofu/opentofu/pull/4288)\n* [CVE-2026-4660](https://github.com/advisories/GHSA-92mm-2pjq-r785)\n* [OpenTofu v1.12 patch](https://github.com/opentofu/opentofu/pull/4293)\n* [OpenTofu v1.11 patch](https://github.com/opentofu/opentofu/pull/4292)\n* [Patched v1.12.3 version](https://github.com/opentofu/opentofu/releases/tag/v1.12.3)\n* [Patched v1.11.10 version](https://github.com/opentofu/opentofu/releases/tag/v1.11.10)",
"id": "GHSA-q7j3-v8qv-22vq",
"modified": "2026-06-19T16:35:10Z",
"published": "2026-06-19T16:35:09Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/opentofu/opentofu/security/advisories/GHSA-q7j3-v8qv-22vq"
},
{
"type": "WEB",
"url": "https://github.com/opentofu/opentofu/pull/4288"
},
{
"type": "WEB",
"url": "https://github.com/opentofu/opentofu/pull/4292"
},
{
"type": "WEB",
"url": "https://github.com/opentofu/opentofu/pull/4293"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-92mm-2pjq-r785"
},
{
"type": "WEB",
"url": "https://github.com/hashicorp/go-getter/releases/tag/v1.8.6"
},
{
"type": "PACKAGE",
"url": "https://github.com/opentofu/opentofu"
},
{
"type": "WEB",
"url": "https://github.com/opentofu/opentofu/releases/tag/v1.11.10"
},
{
"type": "WEB",
"url": "https://github.com/opentofu/opentofu/releases/tag/v1.12.3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "OpenTofu: Possible arbitrary file read during certain git operations via a maliciously crafted URL"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.