CVE-2026-47356
Server-Side Request Forgery in Terrascan
Publication date: 2026-05-19
Last updated on: 2026-05-20
Assigner: Tenable Network Security, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| tenable | terrascan | to 1.18.3 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
Terrascan versions 1.18.3 and earlier have a Server-Side Request Forgery (SSRF) vulnerability in the webhook_url parameter of the file scan endpoint when running in server mode.
An unauthenticated remote attacker can provide an arbitrary URL via the webhook_url multipart form parameter. After scanning the uploaded file, Terrascan sends an HTTP POST request containing the full scan results as a JSON body to the attacker-controlled URL.
Additionally, the attacker-supplied webhook_token is forwarded as a Bearer token in the Authorization header, and the HTTP client retries the request up to 10 times on failure.
This vulnerability affects deployments running Terrascan in server mode, which binds to all network interfaces (0.0.0.0) without authentication. No patch will be released as Terrascan was archived in August 2023.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in Terrascan allows an unauthenticated remote attacker to perform Server-Side Request Forgery (SSRF) and receive full scan results containing potentially sensitive information via an attacker-controlled webhook URL. This exposure of scan results could lead to unauthorized disclosure of sensitive configuration data, which may impact compliance with standards and regulations such as GDPR and HIPAA that require protection of sensitive data and prevention of unauthorized access.
Since Terrascan is used to detect compliance and security violations in Infrastructure as Code, a compromise of its scan results could undermine the integrity and confidentiality of compliance monitoring processes, potentially leading to non-compliance with regulatory requirements.
How can this vulnerability impact me? :
This SSRF vulnerability allows an unauthenticated attacker to make Terrascan send HTTP POST requests with sensitive scan results to attacker-controlled URLs.
Because the webhook_token is forwarded as a Bearer token, attackers might gain unauthorized access to sensitive information or use the server as a proxy to reach internal systems.
The server mode binding to 0.0.0.0 without authentication increases exposure, potentially allowing attackers to exploit this vulnerability remotely.
Since no patch is available, affected users must consider mitigating controls such as disabling server mode or restricting network access.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability affects Terrascan running in server mode, which listens on 0.0.0.0 without authentication and accepts POST requests to the file scan endpoint with a webhook_url parameter. Detection can focus on monitoring network traffic for unusual outbound HTTP POST requests to attacker-controlled URLs originating from the Terrascan server.
You can detect exploitation attempts by capturing and analyzing HTTP requests to the Terrascan server, especially POST requests to endpoints matching the pattern /v1/{iac}/{iacVersion}/{cloud}/local/file/scan containing the webhook_url parameter.
Suggested commands include using network monitoring tools like tcpdump or Wireshark to capture traffic, for example:
- tcpdump -i <interface> -A 'tcp port 80 or tcp port 443' | grep webhook_url
- curl -v -X POST 'http://<terrascan-server>:<port>/v1/<iac>/<iacVersion>/<cloud>/local/file/scan' -F 'webhook_url=<test_url>' -F 'file=@testfile'
Additionally, checking Terrascan server logs for incoming requests with the webhook_url parameter or unexpected outbound HTTP POST requests can help identify exploitation.
What immediate steps should I take to mitigate this vulnerability?
Since Terrascan was archived in August 2023 and no patch will be released for this vulnerability, immediate mitigation steps focus on reducing exposure and limiting the attack surface.
- Disable or avoid running Terrascan in server mode, especially if it binds to 0.0.0.0 and accepts unauthenticated requests.
- Restrict network access to the Terrascan server to trusted hosts only, using firewall rules or network segmentation.
- If running Terrascan server is necessary, implement authentication and authorization controls in front of it, such as reverse proxies with access control.
- Monitor network traffic and logs for suspicious POST requests containing the webhook_url parameter.
- Consider replacing Terrascan with alternative IaC scanning tools that are actively maintained and do not have this vulnerability.