CVE-2026-47357: Server-Side Request Forgery (SSRF) in tenable Terrascan
Terrascan v1.18.3 and prior are vulnerable to Server-Side Request Forgery (SSRF) via the remote_url parameter in the remote directory scan endpoint (POST /v1/{iac}/{iacVersion}/{cloud}/remote/dir/scan) when running in server mode. An unauthenticated remote attacker can supply an attacker-controlled HTTP URL as remote_url with remote_type set to "http". The URL is passed directly to hashicorp/go-getter (v1.7.5) without validation. Go-getter's HttpGetter supports the X-Terraform-Get response header, allowing the attacker's server to redirect the download to a file:// URL, enabling local file read. Additionally, HttpGetter has Netrc set to true, causing it to read ~/.netrc and send stored credentials to attacker-controlled hostnames. This affects deployments running terrascan in server mode (terrascan server), which binds to 0.0.0.0 with no authentication. Note: Terrascan was archived in August 2023 and no patch will be released.
AI Analysis
Technical Summary
CVE-2026-47357 describes an SSRF vulnerability in tenable Terrascan (v1.18.3 and prior) when running in server mode. The vulnerability arises from the remote_url parameter in the POST /v1/{iac}/{iacVersion}/{cloud}/remote/dir/scan endpoint, which accepts attacker-controlled HTTP URLs without validation. The URL is passed to hashicorp/go-getter (v1.7.5), whose HttpGetter supports the X-Terraform-Get header allowing redirection to file:// URLs, enabling local file reads. Additionally, go-getter's HttpGetter reads the ~/.netrc file and sends stored credentials to attacker-controlled hosts. Terrascan server mode listens on 0.0.0.0 with no authentication, making it accessible to unauthenticated remote attackers. Since Terrascan was archived in August 2023, no official fix or patch will be provided.
Potential Impact
Successful exploitation allows unauthenticated remote attackers to perform SSRF attacks that can read local files on the server running Terrascan and potentially exfiltrate credentials stored in the ~/.netrc file. This leads to a confidentiality breach with high impact on sensitive data. The lack of authentication and binding to all network interfaces increases the attack surface. There are no known exploits in the wild as of the published date.
Mitigation Recommendations
No official patch or fix is available because Terrascan was archived in August 2023. Users should discontinue use of Terrascan server mode or isolate it from untrusted networks to prevent exposure. Consider migrating to alternative tools that are actively maintained and do not have this vulnerability. Network-level controls such as firewall rules to restrict access to the Terrascan server may reduce risk but do not eliminate the underlying vulnerability.
CVE-2026-47357: Server-Side Request Forgery (SSRF) in tenable Terrascan
Description
Terrascan v1.18.3 and prior are vulnerable to Server-Side Request Forgery (SSRF) via the remote_url parameter in the remote directory scan endpoint (POST /v1/{iac}/{iacVersion}/{cloud}/remote/dir/scan) when running in server mode. An unauthenticated remote attacker can supply an attacker-controlled HTTP URL as remote_url with remote_type set to "http". The URL is passed directly to hashicorp/go-getter (v1.7.5) without validation. Go-getter's HttpGetter supports the X-Terraform-Get response header, allowing the attacker's server to redirect the download to a file:// URL, enabling local file read. Additionally, HttpGetter has Netrc set to true, causing it to read ~/.netrc and send stored credentials to attacker-controlled hostnames. This affects deployments running terrascan in server mode (terrascan server), which binds to 0.0.0.0 with no authentication. Note: Terrascan was archived in August 2023 and no patch will be released.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-47357 describes an SSRF vulnerability in tenable Terrascan (v1.18.3 and prior) when running in server mode. The vulnerability arises from the remote_url parameter in the POST /v1/{iac}/{iacVersion}/{cloud}/remote/dir/scan endpoint, which accepts attacker-controlled HTTP URLs without validation. The URL is passed to hashicorp/go-getter (v1.7.5), whose HttpGetter supports the X-Terraform-Get header allowing redirection to file:// URLs, enabling local file reads. Additionally, go-getter's HttpGetter reads the ~/.netrc file and sends stored credentials to attacker-controlled hosts. Terrascan server mode listens on 0.0.0.0 with no authentication, making it accessible to unauthenticated remote attackers. Since Terrascan was archived in August 2023, no official fix or patch will be provided.
Potential Impact
Successful exploitation allows unauthenticated remote attackers to perform SSRF attacks that can read local files on the server running Terrascan and potentially exfiltrate credentials stored in the ~/.netrc file. This leads to a confidentiality breach with high impact on sensitive data. The lack of authentication and binding to all network interfaces increases the attack surface. There are no known exploits in the wild as of the published date.
Mitigation Recommendations
No official patch or fix is available because Terrascan was archived in August 2023. Users should discontinue use of Terrascan server mode or isolate it from untrusted networks to prevent exposure. Consider migrating to alternative tools that are actively maintained and do not have this vulnerability. Network-level controls such as firewall rules to restrict access to the Terrascan server may reduce risk but do not eliminate the underlying vulnerability.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- tenable
- Date Reserved
- 2026-05-19T13:49:09.883Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a0c9534ec166c07b0c548e9
Added to database: 5/19/2026, 4:52:04 PM
Last enriched: 5/19/2026, 5:06:47 PM
Last updated: 5/19/2026, 6:06:30 PM
Views: 6
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.