CVE-2026-47358: Server-Side Request Forgery (SSRF) in tenable Terrascan
Terrascan v1.18.3 and prior are vulnerable to Server-Side Request Forgery (SSRF) via external URL resolution in uploaded IaC templates when running in server mode. When Terrascan parses uploaded ARM templates or CloudFormation templates, it resolves external URLs referenced within those templates via hashicorp/go-getter with all default detectors enabled, including FileDetector. An unauthenticated remote attacker can upload an ARM template containing a templateLink.uri or parametersLink.uri field, or a CloudFormation template containing an AWS::CloudFormation::Stack TemplateURL field, pointing to an attacker-controlled URL. Terrascan will fetch the attacker-controlled URL server-side. Unlike SSRF via the remote scan endpoint, file:// URLs are directly usable without requiring an X-Terraform-Get redirect, enabling local file read. This affects deployments running terrascan in server mode (terrascan server), which binds to 0.0.0.0 with no authentication. Note: Terrascan was archived in August 2023 and no patch will be released.
AI Analysis
Technical Summary
Terrascan v1.18.3 and prior, when run in server mode, is vulnerable to SSRF due to its behavior of resolving external URLs referenced in uploaded ARM or CloudFormation templates using hashicorp/go-getter with default detectors enabled. An unauthenticated attacker can upload templates containing fields such as templateLink.uri, parametersLink.uri, or AWS::CloudFormation::Stack TemplateURL that point to attacker-controlled URLs. The server fetches these URLs, enabling SSRF and local file read via file:// URLs. This affects deployments binding to 0.0.0.0 with no authentication. Terrascan was archived in August 2023, and no official patch will be provided.
Potential Impact
An unauthenticated remote attacker can exploit this SSRF vulnerability to make the Terrascan server fetch arbitrary URLs, including local file URLs, potentially leading to disclosure of sensitive local files. The vulnerability affects Terrascan running in server mode with no authentication, exposing the server to remote exploitation. The CVSS score is 7.5 (high severity) with impact primarily on confidentiality. There are no known exploits in the wild. Since Terrascan is archived, no patch will be released.
Mitigation Recommendations
No official patch or fix will be released as Terrascan was archived in August 2023. Users should discontinue use of Terrascan in server mode or restrict access to the server to trusted users only. Avoid running Terrascan server bound to 0.0.0.0 without authentication. Consider migrating to alternative tools that are actively maintained and patched. Patch status is not applicable due to project archival.
CVE-2026-47358: Server-Side Request Forgery (SSRF) in tenable Terrascan
Description
Terrascan v1.18.3 and prior are vulnerable to Server-Side Request Forgery (SSRF) via external URL resolution in uploaded IaC templates when running in server mode. When Terrascan parses uploaded ARM templates or CloudFormation templates, it resolves external URLs referenced within those templates via hashicorp/go-getter with all default detectors enabled, including FileDetector. An unauthenticated remote attacker can upload an ARM template containing a templateLink.uri or parametersLink.uri field, or a CloudFormation template containing an AWS::CloudFormation::Stack TemplateURL field, pointing to an attacker-controlled URL. Terrascan will fetch the attacker-controlled URL server-side. Unlike SSRF via the remote scan endpoint, file:// URLs are directly usable without requiring an X-Terraform-Get redirect, enabling local file read. This affects deployments running terrascan in server mode (terrascan server), which binds to 0.0.0.0 with no authentication. Note: Terrascan was archived in August 2023 and no patch will be released.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Terrascan v1.18.3 and prior, when run in server mode, is vulnerable to SSRF due to its behavior of resolving external URLs referenced in uploaded ARM or CloudFormation templates using hashicorp/go-getter with default detectors enabled. An unauthenticated attacker can upload templates containing fields such as templateLink.uri, parametersLink.uri, or AWS::CloudFormation::Stack TemplateURL that point to attacker-controlled URLs. The server fetches these URLs, enabling SSRF and local file read via file:// URLs. This affects deployments binding to 0.0.0.0 with no authentication. Terrascan was archived in August 2023, and no official patch will be provided.
Potential Impact
An unauthenticated remote attacker can exploit this SSRF vulnerability to make the Terrascan server fetch arbitrary URLs, including local file URLs, potentially leading to disclosure of sensitive local files. The vulnerability affects Terrascan running in server mode with no authentication, exposing the server to remote exploitation. The CVSS score is 7.5 (high severity) with impact primarily on confidentiality. There are no known exploits in the wild. Since Terrascan is archived, no patch will be released.
Mitigation Recommendations
No official patch or fix will be released as Terrascan was archived in August 2023. Users should discontinue use of Terrascan in server mode or restrict access to the server to trusted users only. Avoid running Terrascan server bound to 0.0.0.0 without authentication. Consider migrating to alternative tools that are actively maintained and patched. Patch status is not applicable due to project archival.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- tenable
- Date Reserved
- 2026-05-19T13:49:09.883Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
- Is Cloud Service
- true
Threat ID: 6a0c9534ec166c07b0c548ec
Added to database: 5/19/2026, 4:52:04 PM
Last enriched: 5/19/2026, 5:06:40 PM
Last updated: 5/19/2026, 5:59:14 PM
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.