Skip to content

OpenTofu: Possible arbitrary file read during certain git operations via a maliciously crafted URL

High severity GitHub Reviewed Published Jun 18, 2026 in opentofu/opentofu • Updated Jun 19, 2026

Package

gomod github.com/opentofu/opentofu (Go)

Affected versions

< 1.11.10
>= 1.12.0-beta1, < 1.12.3

Patched versions

1.11.10
1.12.3

Description

Impact

Possible data exposure.

Summary

While downloading packages from a maliciously crafted URL, some git operations against that URL could allow arbitrary file read.
This might allow disclosure of confidential information.

Details

OpenTofu relies on go-getter for downloading packages like providers and modules. While doing so from a maliciously crafted URL, the operator could be affected by confidential information disclosure.

The go-getter maintainers have recently published CVE-2026-4660 for this library which indirectly affects OpenTofu's behavior.

Typical use of OpenTofu already requires caution in selection of URLs that are used to download modules and providers.

Patches

OpenTofu v1.11.10 and v1.12.3 address these vulnerabilities by upgrading to the hashicorp/go-getter@v1.8.6 that fixes this vulnerability.

The OpenTofu v1.10 series is also impacted by these vulnerabilities. However, that series is built with an older version of the library and upgrading it risks breaking the whole v1.10 series.
For those using OpenTofu v1.10 releases, we recommend planning an upgrade to OpenTofu v1.11.10 in the near future.

References

References

@yottta yottta published to opentofu/opentofu Jun 18, 2026
Published to the GitHub Advisory Database Jun 19, 2026
Reviewed Jun 19, 2026
Last updated Jun 19, 2026

Severity

High

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS score

Weaknesses

Dependency on Vulnerable Third-Party Component

The product has a dependency on a third-party component that contains one or more known vulnerabilities. Learn more on MITRE.

CVE ID

No known CVE

GHSA ID

GHSA-q7j3-v8qv-22vq

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.