Skip to main content

Terrascan CVE-2026-47357

| EUVDEUVD-2026-30957 CRITICAL
Server-Side Request Forgery (SSRF) (CWE-918)
2026-05-19 tenable GHSA-p747-w96h-fwcj
9.2
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
9.2 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

5
Analysis Updated
May 19, 2026 - 17:28 vuln.today
v2 (cvss_changed)
Re-analysis Queued
May 19, 2026 - 17:22 vuln.today
cvss_changed
Severity Changed
May 19, 2026 - 17:22 NVD
HIGH CRITICAL
CVSS changed
May 19, 2026 - 17:22 NVD
7.5 (HIGH) 9.2 (CRITICAL)
Analysis Generated
May 19, 2026 - 17:15 vuln.today

DescriptionCVE.org

Terrascan v1.18.3 and prior are vulnerable to Server-Side Request Forgery (SSRF) via the remote_url parameter in the remote directory scan endpoint (POST /v1/{iac}/{iacVersion}/{cloud}/remote/dir/scan) when running in server mode. An unauthenticated remote attacker can supply an attacker-controlled HTTP URL as remote_url with remote_type set to "http". The URL is passed directly to hashicorp/go-getter (v1.7.5) without validation. Go-getter's HttpGetter supports the X-Terraform-Get response header, allowing the attacker's server to redirect the download to a file:// URL, enabling local file read. Additionally, HttpGetter has Netrc set to true, causing it to read ~/.netrc and send stored credentials to attacker-controlled hostnames. This affects deployments running terrascan in server mode (terrascan server), which binds to 0.0.0.0 with no authentication. Note: Terrascan was archived in August 2023 and no patch will be released.

AnalysisAI

Server-Side Request Forgery in Tenable's Terrascan IaC scanner (versions 1.18.3 and prior) lets unauthenticated remote attackers read arbitrary local files and exfiltrate ~/.netrc credentials when the tool runs in server mode. Because Terrascan was archived in August 2023, no vendor patch will ever be released, and the daemon binds to 0.0.0.0 with no authentication by default. No public exploit identified at time of analysis, but the CVSS 4.0 score of 9.2 reflects trivial network-reachable abuse paired with significant confidentiality scope change.

Technical ContextAI

Terrascan is a static analysis tool for Infrastructure-as-Code (Terraform, Kubernetes, Helm, etc.) originally developed by Accurics and later maintained by Tenable. Its server mode exposes an HTTP API including POST /v1/{iac}/{iacVersion}/{cloud}/remote/dir/scan, which delegates remote fetching to hashicorp/go-getter v1.7.5. The root cause (CWE-918, SSRF) stems from passing the user-supplied remote_url straight to go-getter's HttpGetter without scheme or destination validation; HttpGetter honors the X-Terraform-Get response header, which can redirect a download to a file:// URI, and it has Netrc=true, which causes it to attach ~/.netrc credentials when contacting any hostname the attacker controls.

RemediationAI

No vendor-released patch identified at time of analysis and none will be issued because Tenable archived the project in August 2023, so the durable fix is to migrate off Terrascan to an actively maintained IaC scanner such as Checkov, KICS, tfsec/Trivy, or Tenable's commercial successor. Until migration is complete, stop running 'terrascan server' entirely and use the CLI mode (which is not affected) inside CI pipelines; if the server must run, bind it to 127.0.0.1 or an internal interface, place it behind an authenticating reverse proxy, and use egress firewall rules to block outbound traffic from the Terrascan host to anything other than known IaC source repositories - trade-off: this breaks legitimate fetches from arbitrary Git/HTTP sources. Additionally, remove or empty ~/.netrc on the account running the daemon to neutralize the credential-leak vector, and block the /v1/*/remote/dir/scan path at any fronting proxy. The upstream repository is at https://github.com/tenable/terrascan (archived).

CVE-2026-45321 CRITICAL POC
9.6 May 12

Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio

CVE-2021-30476 CRITICAL POC
9.8 Apr 22

HashiCorp Terraform’s Vault Provider (terraform-provider-vault) did not correctly configure GCE-type bound labels for Va

CVE-2019-7442 CRITICAL POC
9.8 May 08

An XML external entity (XXE) vulnerability in the Password Vault Web Access (PVWA) of CyberArk Enterprise Password Vault

CVE-2018-20371 CRITICAL POC
9.8 Dec 23

PhotoRange Photo Vault 1.2 appends the password to the URI for authorization, which makes it easier for remote attackers

CVE-2018-9843 CRITICAL POC
9.8 Apr 12

The REST API in CyberArk Password Vault Web Access before 9.9.5 and 10.x before 10.1 allows remote attackers to execute

CVE-2026-60104 CRITICAL POC
9.3 Jul 08

Account takeover in self-hosted Bitwarden Server before 2026.6.0 lets a low-privileged organization member steal any oth

CVE-2021-43837 CRITICAL POC
9.1 Dec 16

vault-cli is a configurable command-line interface tool (and python library) to interact with Hashicorp Vault. Rated cri

CVE-2020-16272 CRITICAL POC
9.1 Aug 03

The SRP-6a implementation in Kee Vault KeePassRPC before 1.12.0 is missing validation for a client-provided parameter, w

CVE-2020-16271 CRITICAL POC
9.1 Aug 03

The SRP-6a implementation in Kee Vault KeePassRPC before 1.12.0 generates insufficiently random numbers, which allows re

CVE-2017-11741 HIGH POC
8.8 Aug 08

HashiCorp Vagrant VMware Fusion plugin (aka vagrant-vmware-fusion) before 4.0.24 uses weak permissions for the sudo help

CVE-2024-52009 HIGH POC
8.5 Nov 08

Atlantis is a self-hosted golang application that listens for Terraform pull request events via webhooks. Rated high sev

CVE-2025-58437 HIGH POC
8.1 Sep 06

Coder allows organizations to provision remote development environments via Terraform. Rated high severity (CVSS 8.1), t

Share

CVE-2026-47357 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy