Skip to main content

Terrascan CVE-2026-47356

| EUVDEUVD-2026-30952 HIGH
Server-Side Request Forgery (SSRF) (CWE-918)
2026-05-19 tenable GHSA-q2p7-5m6x-29x8
8.7
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
Analysis Updated
May 19, 2026 - 17:29 vuln.today
v2 (cvss_changed)
Re-analysis Queued
May 19, 2026 - 17:22 vuln.today
cvss_changed
CVSS changed
May 19, 2026 - 17:22 NVD
7.5 (HIGH) 8.7 (HIGH)
Analysis Generated
May 19, 2026 - 17:15 vuln.today

DescriptionCVE.org

Terrascan v1.18.3 and prior are vulnerable to Server-Side Request Forgery (SSRF) via the webhook_url parameter in the file scan endpoint (POST /v1/{iac}/{iacVersion}/{cloud}/local/file/scan) when running in server mode. An unauthenticated remote attacker can supply an arbitrary URL as the webhook_url multipart form parameter. After scanning the uploaded file, Terrascan sends an HTTP POST request to the attacker-controlled URL containing the full scan results as a JSON body, with the attacker-supplied webhook_token forwarded as a Bearer token in the Authorization header. The retryable HTTP client retries up to 10 times on failure. This affects deployments running terrascan in server mode (terrascan server), which binds to 0.0.0.0 with no authentication. Note: Terrascan was archived in August 2023 and no patch will be released.

AnalysisAI

Server-Side Request Forgery in Terrascan up to v1.18.3 lets unauthenticated remote attackers coerce the scanner's HTTP client to POST full IaC scan results - along with an attacker-chosen Bearer token in the Authorization header - to any URL supplied via the webhook_url multipart parameter. Because Terrascan was archived by Tenable in August 2023, no vendor patch will be released, leaving every existing server-mode deployment permanently exposed. No public exploit identified at time of analysis and the CVE is not on CISA KEV, but the trivial exploit primitive (a single multipart POST) makes weaponization straightforward.

Technical ContextAI

Terrascan is a static analysis tool for Infrastructure-as-Code (Terraform, Kubernetes, Helm, CloudFormation, etc.) maintained by Tenable until its August 2023 archival. When invoked as 'terrascan server', it exposes a REST API bound to 0.0.0.0:9010 with no authentication layer. The vulnerable POST /v1/{iac}/{iacVersion}/{cloud}/local/file/scan endpoint accepts a webhook_url multipart parameter and, after performing the IaC scan, uses a retryable HTTP client (retrying up to 10 times) to dispatch results to that URL. CWE-918 (SSRF) applies because the server-side HTTP request destination is fully attacker-controlled with no allowlist, scheme restriction, or internal-IP filtering, and the request additionally carries an attacker-supplied bearer credential - making it useful for both blind-SSRF probing of internal services and outbound credential injection or relay attacks.

RemediationAI

No vendor-released patch identified at time of analysis - Tenable archived Terrascan in August 2023 and has stated no patch will be issued, so the only durable fix is to migrate off Terrascan to a maintained IaC scanner (Checkov, KICS, tfsec/Trivy-config, or Tenable's successor tooling). Until migration completes, do not run 'terrascan server'; restrict use to CLI invocations inside CI pipelines, which are not affected by this SSRF. If the server mode is operationally required, do not bind to 0.0.0.0 - front it with a reverse proxy that enforces authentication and strips or rejects the webhook_url multipart parameter, or apply a network policy/host firewall that limits inbound access to known scanner clients and limits outbound egress from the Terrascan host so the SSRF cannot reach cloud metadata services (169.254.169.254), internal admin panels, or arbitrary internet destinations; trade-off is that legitimate webhook delivery to external endpoints will also be blocked. The archived source is at https://github.com/tenable/terrascan for teams that wish to maintain an internal fork.

Share

CVE-2026-47356 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy