CVE-2026-27818 is a vulnerability identified in the TerriaJS terriajs-server, a NodeJS Express-based server component used to build web-based geospatial data explorers. The vulnerability arises from improper input validation (CWE-20) that allows an attacker to bypass the intended restrictions on proxyable domains configured in the server. Specifically, versions prior to 4.0.3 do not adequately validate the domains that can be proxied, enabling an attacker to use the server as an open proxy to relay requests to arbitrary external domains not explicitly allowed in the proxyableDomains configuration. This flaw can be exploited remotely without requiring authentication or user interaction, making it highly accessible to attackers. The vulnerability has been assigned a CVSS 4.0 score of 8.7, reflecting its high severity due to the ease of exploitation and the potential impact on confidentiality and integrity. By leveraging this vulnerability, attackers could anonymize their traffic, conduct malicious activities such as data exfiltration, or bypass network restrictions by routing traffic through the vulnerable server. The fix, implemented in version 4.0.3, involves correcting the input validation logic to strictly enforce the proxyableDomains whitelist, preventing unauthorized proxying. No public exploits have been reported yet, but the vulnerability poses a significant risk to any organization deploying vulnerable versions of terriajs-server, especially those exposing the proxy functionality to untrusted users or the internet.

The impact of CVE-2026-27818 is substantial for organizations using TerriaJS terriajs-server in their geospatial data exploration platforms. Exploitation allows attackers to misuse the server as an open proxy, which can facilitate anonymized malicious activities such as scanning, data exfiltration, or evading network controls. This can lead to unauthorized access to sensitive data, compromise of data integrity, and potential reputational damage. Additionally, the proxy misuse could result in the organization’s infrastructure being implicated in malicious activities, leading to blacklisting or legal consequences. Since the vulnerability requires no authentication or user interaction, it can be exploited at scale by remote attackers. Organizations relying on geospatial data services for government, environmental monitoring, urban planning, or defense could face operational disruptions or data breaches. The availability of the service might also be indirectly affected if the proxy is abused for high-volume traffic or denial-of-service attacks. Overall, the vulnerability poses a high risk to confidentiality and integrity, with potential secondary impacts on availability and organizational trust.

To mitigate CVE-2026-27818, organizations should immediately upgrade terriajs-server to version 4.0.3 or later, where the input validation bug has been fixed. Beyond patching, administrators must audit and strictly configure the proxyableDomains whitelist to include only trusted domains necessary for business operations. Implement additional input validation and sanitization layers to ensure no unauthorized domains can be proxied. Network-level controls such as firewall rules or proxy restrictions should be applied to limit outbound traffic from the terriajs-server to approved destinations only. Monitoring and logging of proxy requests should be enabled to detect anomalous or unauthorized proxy usage. If upgrading is temporarily not possible, consider disabling the proxy feature or restricting access to the terriajs-server to trusted internal networks. Regular vulnerability scanning and penetration testing should be conducted to verify that the proxy restrictions are effective. Finally, educate development and operations teams about secure configuration practices for proxy services to prevent similar issues in the future.