CVE-2026-47358
Server-Side Request Forgery in Terrascan IaC Templates
Publication date: 2026-05-19
Last updated on: 2026-05-20
Assigner: Tenable Network Security, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| tenable | terrascan | to 1.18.3 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-610 | The product uses an externally controlled name or reference that resolves to a resource that is outside of the intended control sphere. |
| CWE-73 | The product allows user input to control or influence paths or file names that are used in filesystem operations. |
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
Terrascan versions 1.18.3 and earlier have a Server-Side Request Forgery (SSRF) vulnerability when running in server mode. This happens because Terrascan automatically resolves external URLs found in uploaded Infrastructure as Code (IaC) templates, such as ARM or CloudFormation templates. An attacker can upload a malicious template containing URLs that point to attacker-controlled servers. Terrascan will then fetch these URLs from the server side without authentication, potentially allowing the attacker to make the server perform unintended requests. Additionally, file:// URLs can be used to read local files directly, increasing the risk.
How can this vulnerability impact me? :
This vulnerability can allow an unauthenticated remote attacker to make the Terrascan server perform arbitrary requests to internal or external systems, potentially exposing sensitive internal resources or data. The ability to use file:// URLs can lead to local file disclosure on the server running Terrascan. Since Terrascan runs in server mode bound to all interfaces without authentication, this can lead to unauthorized access and data leakage.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify how the CVE-2026-47358 vulnerability in Terrascan affects compliance with common standards and regulations such as GDPR or HIPAA.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
The vulnerability involves Terrascan running in server mode resolving external URLs in uploaded IaC templates, which can be exploited via SSRF. Detection would involve monitoring Terrascan server activity for unexpected external URL fetches, especially those triggered by uploaded ARM or CloudFormation templates containing templateLink.uri, parametersLink.uri, or TemplateURL fields.
Since Terrascan is a static code analyzer, you can run Terrascan scans locally on your IaC templates to detect potentially malicious or unexpected external URL references.
However, the provided resources do not include specific commands or network detection methods for this vulnerability.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include disabling or not running Terrascan in server mode, especially since it binds to 0.0.0.0 with no authentication, making it vulnerable to unauthenticated remote attacks.
Avoid uploading untrusted ARM or CloudFormation templates to Terrascan server instances.
Since Terrascan was archived in August 2023 and no patch will be released, consider migrating to alternative IaC scanning tools that are actively maintained and do not have this vulnerability.