CVE-2026-27818 is a vulnerability in the terriajs-server component of TerriaJS, a NodeJS Express server used for building web-based geospatial data explorers. The root cause is improper input validation (CWE-20) that allows an attacker to bypass the configured whitelist of proxyable domains (`proxyableDomains`). This misconfiguration or validation bug permits an attacker to proxy arbitrary domains through the server, effectively turning it into an open proxy. The vulnerability affects all versions prior to 4.0.3, which contains the fix. Exploitation requires no authentication or user interaction and can be performed remotely over the network. The CVSS 4.0 vector (AV:N/AC:L/AT:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N) indicates high impact on confidentiality and integrity due to the potential for unauthorized data access or manipulation via the proxy. While no public exploits have been observed, the vulnerability poses a significant risk because it can be leveraged for anonymizing malicious traffic, bypassing network controls, or conducting further attacks through the proxy server. The vulnerability is categorized under CWE-20 (Improper Input Validation) and CWE-918 (Server-Side Request Forgery), highlighting the nature of the flaw as a server-side request forgery enabled by insufficient validation of proxy domain inputs.

The vulnerability allows attackers to use the terriajs-server as an open proxy, which can have several severe consequences. Organizations may experience unauthorized data exfiltration or leakage if sensitive internal or external resources are accessed through the proxy. Attackers can anonymize malicious activities, complicating attribution and incident response. This can also lead to reputational damage if the server is used for illicit purposes such as spam, scanning, or launching attacks against third parties. The integrity of data may be compromised if attackers manipulate proxied requests or responses. Availability is less directly impacted, but abuse of the proxy could lead to resource exhaustion or denial of service. Since the vulnerability requires no authentication or user interaction, exploitation is straightforward, increasing the likelihood of attack attempts. Entities relying on TerriaJS for geospatial data exploration, especially in government, research, and environmental monitoring sectors, face elevated risks of operational disruption and data compromise.

Organizations should immediately upgrade terriajs-server to version 4.0.3 or later, which contains the official fix for this vulnerability. In addition to patching, administrators must audit and strictly configure the `proxyableDomains` whitelist to include only trusted domains, avoiding overly broad or wildcard entries. Implement network-level controls such as firewall rules or proxy filters to restrict outbound requests from the server to authorized destinations. Enable detailed logging and monitoring of proxy requests to detect unusual or unauthorized domain access patterns. Consider deploying web application firewalls (WAFs) with rules to detect and block SSRF or proxy abuse attempts. Regularly review and test input validation mechanisms in custom configurations or extensions of terriajs-server. Educate development and operations teams about the risks of SSRF and improper input validation to prevent similar issues in future deployments.