Which versions of Terrascan are affected by CVE-2026-47357?

Tenable's Terrascan Infrastructure-as-Code scanner (versions 1.18.3 and prior) contains a critical vulnerability that enables unauthorized access to system credentials from any network-connected…

Terrascan CVE-2026-47357

Q: What is the CVSS score of CVE-2026-47357?

CVE-2026-47357 has a CVSS 4.0 base score of 9.2 (Critical). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

EUVD-2026-30957 CRITICAL

Server-Side Request Forgery (SSRF) (CWE-918)

2026-05-19 tenable

GHSA-p747-w96h-fwcj

SSRF Hashicorp

9.2

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

Analysis Updated

May 19, 2026 - 17:28 vuln.today

v2 (cvss_changed)

Re-analysis Queued

May 19, 2026 - 17:22 vuln.today

cvss_changed

Severity Changed

May 19, 2026 - 17:22 NVD

HIGH CRITICAL

CVSS changed

May 19, 2026 - 17:22 NVD

7.5 (HIGH) 9.2 (CRITICAL)

Analysis Generated

May 19, 2026 - 17:15 vuln.today

DescriptionNVD

Terrascan v1.18.3 and prior are vulnerable to Server-Side Request Forgery (SSRF) via the remote_url parameter in the remote directory scan endpoint (POST /v1/{iac}/{iacVersion}/{cloud}/remote/dir/scan) when running in server mode. An unauthenticated remote attacker can supply an attacker-controlled HTTP URL as remote_url with remote_type set to "http". The URL is passed directly to hashicorp/go-getter (v1.7.5) without validation. Go-getter's HttpGetter supports the X-Terraform-Get response header, allowing the attacker's server to redirect the download to a file:// URL, enabling local file read. Additionally, HttpGetter has Netrc set to true, causing it to read ~/.netrc and send stored credentials to attacker-controlled hostnames. This affects deployments running terrascan in server mode (terrascan server), which binds to 0.0.0.0 with no authentication. Note: Terrascan was archived in August 2023 and no patch will be released.

AnalysisAI

Server-Side Request Forgery in Tenable's Terrascan IaC scanner (versions 1.18.3 and prior) lets unauthenticated remote attackers read arbitrary local files and exfiltrate ~/.netrc credentials when the tool runs in server mode. Because Terrascan was archived in August 2023, no vendor patch will ever be released, and the daemon binds to 0.0.0.0 with no authentication by default. …

RemediationAI

Within 24 hours: Inventory all systems running Terrascan versions 1.18.3 and prior, prioritizing those with network exposure. Within 7 days: Disable Terrascan server mode on all affected systems and implement network isolation for any remaining instances. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory