Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
5DescriptionCVE.org
Terrascan v1.18.3 and prior are vulnerable to Server-Side Request Forgery (SSRF) via the remote_url parameter in the remote directory scan endpoint (POST /v1/{iac}/{iacVersion}/{cloud}/remote/dir/scan) when running in server mode. An unauthenticated remote attacker can supply an attacker-controlled HTTP URL as remote_url with remote_type set to "http". The URL is passed directly to hashicorp/go-getter (v1.7.5) without validation. Go-getter's HttpGetter supports the X-Terraform-Get response header, allowing the attacker's server to redirect the download to a file:// URL, enabling local file read. Additionally, HttpGetter has Netrc set to true, causing it to read ~/.netrc and send stored credentials to attacker-controlled hostnames. This affects deployments running terrascan in server mode (terrascan server), which binds to 0.0.0.0 with no authentication. Note: Terrascan was archived in August 2023 and no patch will be released.
AnalysisAI
Server-Side Request Forgery in Tenable's Terrascan IaC scanner (versions 1.18.3 and prior) lets unauthenticated remote attackers read arbitrary local files and exfiltrate ~/.netrc credentials when the tool runs in server mode. Because Terrascan was archived in August 2023, no vendor patch will ever be released, and the daemon binds to 0.0.0.0 with no authentication by default. No public exploit identified at time of analysis, but the CVSS 4.0 score of 9.2 reflects trivial network-reachable abuse paired with significant confidentiality scope change.
Technical ContextAI
Terrascan is a static analysis tool for Infrastructure-as-Code (Terraform, Kubernetes, Helm, etc.) originally developed by Accurics and later maintained by Tenable. Its server mode exposes an HTTP API including POST /v1/{iac}/{iacVersion}/{cloud}/remote/dir/scan, which delegates remote fetching to hashicorp/go-getter v1.7.5. The root cause (CWE-918, SSRF) stems from passing the user-supplied remote_url straight to go-getter's HttpGetter without scheme or destination validation; HttpGetter honors the X-Terraform-Get response header, which can redirect a download to a file:// URI, and it has Netrc=true, which causes it to attach ~/.netrc credentials when contacting any hostname the attacker controls.
RemediationAI
No vendor-released patch identified at time of analysis and none will be issued because Tenable archived the project in August 2023, so the durable fix is to migrate off Terrascan to an actively maintained IaC scanner such as Checkov, KICS, tfsec/Trivy, or Tenable's commercial successor. Until migration is complete, stop running 'terrascan server' entirely and use the CLI mode (which is not affected) inside CI pipelines; if the server must run, bind it to 127.0.0.1 or an internal interface, place it behind an authenticating reverse proxy, and use egress firewall rules to block outbound traffic from the Terrascan host to anything other than known IaC source repositories - trade-off: this breaks legitimate fetches from arbitrary Git/HTTP sources. Additionally, remove or empty ~/.netrc on the account running the daemon to neutralize the credential-leak vector, and block the /v1/*/remote/dir/scan path at any fronting proxy. The upstream repository is at https://github.com/tenable/terrascan (archived).
Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio
HashiCorp Terraform’s Vault Provider (terraform-provider-vault) did not correctly configure GCE-type bound labels for Va
An XML external entity (XXE) vulnerability in the Password Vault Web Access (PVWA) of CyberArk Enterprise Password Vault
PhotoRange Photo Vault 1.2 appends the password to the URI for authorization, which makes it easier for remote attackers
The REST API in CyberArk Password Vault Web Access before 9.9.5 and 10.x before 10.1 allows remote attackers to execute
Account takeover in self-hosted Bitwarden Server before 2026.6.0 lets a low-privileged organization member steal any oth
vault-cli is a configurable command-line interface tool (and python library) to interact with Hashicorp Vault. Rated cri
The SRP-6a implementation in Kee Vault KeePassRPC before 1.12.0 is missing validation for a client-provided parameter, w
The SRP-6a implementation in Kee Vault KeePassRPC before 1.12.0 generates insufficiently random numbers, which allows re
HashiCorp Vagrant VMware Fusion plugin (aka vagrant-vmware-fusion) before 4.0.24 uses weak permissions for the sudo help
Atlantis is a self-hosted golang application that listens for Terraform pull request events via webhooks. Rated high sev
Coder allows organizations to provision remote development environments via Terraform. Rated high severity (CVSS 8.1), t
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30957
GHSA-p747-w96h-fwcj