CVE-2026-47356
Description
Terrascan v1.18.3 and prior are vulnerable to Server-Side Request Forgery (SSRF) via the webhook_url parameter in the file scan endpoint (POST /v1/{iac}/{iacVersion}/{cloud}/local/file/scan) when running in server mode. An unauthenticated remote attacker can supply an arbitrary URL as the webhook_url multipart form parameter. After scanning the uploaded file, Terrascan sends an HTTP POST request to the attacker-controlled URL containing the full scan results as a JSON body, with the attacker-supplied webhook_token forwarded as a Bearer token in the Authorization header. The retryable HTTP client retries up to 10 times on failure. This affects deployments running terrascan in server mode (terrascan server), which binds to 0.0.0.0 with no authentication. Note: Terrascan was archived in August 2023 and no patch will be released.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Terrascan v1.18.3 and prior in server mode are vulnerable to SSRF via the webhook_url parameter, allowing an unauthenticated attacker to receive scan results and tokens.
Vulnerability
Terrascan v1.18.3 and prior versions (archived as of August 2023) contain a Server-Side Request Forgery (SSRF) vulnerability in the file scan endpoint (POST /v1/{iac}/{iacVersion}/{cloud}/local/file/scan). The webhook_url multipart form parameter is accepted without validation, and when the server processes a scan, it sends an HTTP POST request containing the full scan results (JSON body) to the attacker-controlled URL [1]. The request also includes an attacker-supplied webhook_token in the Authorization header as a Bearer token [1]. This affects deployments running terrascan server, which by default binds to 0.0.0.0 with no authentication [1].
Exploitation
An unauthenticated remote attacker can send a crafted POST request to the file scan endpoint, providing an arbitrary URL (e.g., https://attacker-controlled-server.com/exfil) in the webhook_url field [1]. After Terrascan completes scanning the uploaded IaC file, the server sends an HTTP POST request to the supplied URL. The retryable HTTP client retries up to 10 times on failure, increasing reliability of exfiltration [1]. No authentication or prior access to the target system is required [1].
Impact
Successful exploitation results in exfiltration of full scan results (which may contain sensitive infrastructure details) and the attacker-supplied webhook token (which the attacker already controls) [1]. The CIA impact is primarily unauthorized disclosure (breach of confidentiality) of scanned content. The attacker does not gain code execution or direct control over the Terrascan host, but can leverage the SSRF to probe internal networks or services from the Terrascan server's network perspective [1].
Mitigation
No patch will be released because Terrascan has been archived since August 2023 and is no longer maintained [1]. The only mitigation is to avoid running Terrascan in server mode on untrusted networks, or to restrict network access to the server using firewall rules that prevent outbound connections to arbitrary destinations. Users should also consider migrating to alternative IaC scanning tools that are actively maintained [1].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
News mentions
0No linked articles in our index yet.