VYPR
High severity7.5NVD Advisory· Published May 19, 2026· Updated May 20, 2026

CVE-2026-47357

CVE-2026-47357

Description

Terrascan v1.18.3 and prior are vulnerable to Server-Side Request Forgery (SSRF) via the remote_url parameter in the remote directory scan endpoint (POST /v1/{iac}/{iacVersion}/{cloud}/remote/dir/scan) when running in server mode. An unauthenticated remote attacker can supply an attacker-controlled HTTP URL as remote_url with remote_type set to "http". The URL is passed directly to hashicorp/go-getter (v1.7.5) without validation. Go-getter's HttpGetter supports the X-Terraform-Get response header, allowing the attacker's server to redirect the download to a file:// URL, enabling local file read. Additionally, HttpGetter has Netrc set to true, causing it to read ~/.netrc and send stored credentials to attacker-controlled hostnames. This affects deployments running terrascan in server mode (terrascan server), which binds to 0.0.0.0 with no authentication. Note: Terrascan was archived in August 2023 and no patch will be released.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

3
  • Tenable/Terrascanreferences3 versions
    (expand)+ 2 more
    • (no CPE)
    • cpe:2.3:a:tenable:terrascan:*:*:*:*:*:*:*:*range: <=1.18.3
    • (no CPE)range: <=1.18.3

Patches

Vulnerability mechanics

News mentions

0

No linked articles in our index yet.