Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
Terrascan v1.18.3 and prior are vulnerable to Server-Side Request Forgery (SSRF) via the webhook_url parameter in the file scan endpoint (POST /v1/{iac}/{iacVersion}/{cloud}/local/file/scan) when running in server mode. An unauthenticated remote attacker can supply an arbitrary URL as the webhook_url multipart form parameter. After scanning the uploaded file, Terrascan sends an HTTP POST request to the attacker-controlled URL containing the full scan results as a JSON body, with the attacker-supplied webhook_token forwarded as a Bearer token in the Authorization header. The retryable HTTP client retries up to 10 times on failure. This affects deployments running terrascan in server mode (terrascan server), which binds to 0.0.0.0 with no authentication. Note: Terrascan was archived in August 2023 and no patch will be released.
AnalysisAI
Server-Side Request Forgery in Terrascan up to v1.18.3 lets unauthenticated remote attackers coerce the scanner's HTTP client to POST full IaC scan results - along with an attacker-chosen Bearer token in the Authorization header - to any URL supplied via the webhook_url multipart parameter. Because Terrascan was archived by Tenable in August 2023, no vendor patch will be released, leaving every existing server-mode deployment permanently exposed. No public exploit identified at time of analysis and the CVE is not on CISA KEV, but the trivial exploit primitive (a single multipart POST) makes weaponization straightforward.
Technical ContextAI
Terrascan is a static analysis tool for Infrastructure-as-Code (Terraform, Kubernetes, Helm, CloudFormation, etc.) maintained by Tenable until its August 2023 archival. When invoked as 'terrascan server', it exposes a REST API bound to 0.0.0.0:9010 with no authentication layer. The vulnerable POST /v1/{iac}/{iacVersion}/{cloud}/local/file/scan endpoint accepts a webhook_url multipart parameter and, after performing the IaC scan, uses a retryable HTTP client (retrying up to 10 times) to dispatch results to that URL. CWE-918 (SSRF) applies because the server-side HTTP request destination is fully attacker-controlled with no allowlist, scheme restriction, or internal-IP filtering, and the request additionally carries an attacker-supplied bearer credential - making it useful for both blind-SSRF probing of internal services and outbound credential injection or relay attacks.
RemediationAI
No vendor-released patch identified at time of analysis - Tenable archived Terrascan in August 2023 and has stated no patch will be issued, so the only durable fix is to migrate off Terrascan to a maintained IaC scanner (Checkov, KICS, tfsec/Trivy-config, or Tenable's successor tooling). Until migration completes, do not run 'terrascan server'; restrict use to CLI invocations inside CI pipelines, which are not affected by this SSRF. If the server mode is operationally required, do not bind to 0.0.0.0 - front it with a reverse proxy that enforces authentication and strips or rejects the webhook_url multipart parameter, or apply a network policy/host firewall that limits inbound access to known scanner clients and limits outbound egress from the Terrascan host so the SSRF cannot reach cloud metadata services (169.254.169.254), internal admin panels, or arbitrary internet destinations; trade-off is that legitimate webhook delivery to external endpoints will also be blocked. The archived source is at https://github.com/tenable/terrascan for teams that wish to maintain an internal fork.
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30952
GHSA-q2p7-5m6x-29x8