CVE-2026-47358
Description
Terrascan v1.18.3 and prior are vulnerable to Server-Side Request Forgery (SSRF) via external URL resolution in uploaded IaC templates when running in server mode. When Terrascan parses uploaded ARM templates or CloudFormation templates, it resolves external URLs referenced within those templates via hashicorp/go-getter with all default detectors enabled, including FileDetector. An unauthenticated remote attacker can upload an ARM template containing a templateLink.uri or parametersLink.uri field, or a CloudFormation template containing an AWS::CloudFormation::Stack TemplateURL field, pointing to an attacker-controlled URL. Terrascan will fetch the attacker-controlled URL server-side. Unlike SSRF via the remote scan endpoint, file:// URLs are directly usable without requiring an X-Terraform-Get redirect, enabling local file read. This affects deployments running terrascan in server mode (terrascan server), which binds to 0.0.0.0 with no authentication. Note: Terrascan was archived in August 2023 and no patch will be released.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Terrascan v1.18.3 and prior in server mode allows SSRF via external URL resolution in IaC templates, enabling unauthenticated local file read.
Vulnerability
Terrascan v1.18.3 and prior are vulnerable to Server-Side Request Forgery (SSRF) when running in server mode (terrascan server). The vulnerability resides in the template parsing functionality for ARM and CloudFormation IaC templates. When Terrascan processes uploaded ARM templates containing templateLink.uri or parametersLink.uri fields, or CloudFormation templates with an AWS::CloudFormation::Stack TemplateURL field, it resolves external URLs using the hashicorp/go-getter library with all default detectors enabled, including FileDetector. No authentication is required to reach the server endpoint, which binds to 0.0.0.0 by default.
Exploitation
An unauthenticated remote attacker can upload a malicious ARM or CloudFormation template to a Terrascan server instance. The attacker crafts the template to contain a URL field (e.g., templateLink.uri in ARM or TemplateURL in CloudFormation) pointing to an attacker-controlled HTTP server or a file:// URL. Upon parsing the template, Terrascan will fetch the URL server-side. The FileDetector is enabled by default, allowing file:// URLs to be processed directly without requiring an X-Terraform-Get redirect, which bypasses a common SSRF restriction.
Impact
Successful exploitation allows an attacker to perform SSRF, enabling the reading of arbitrary local files on the Terrascan server file system by specifying file:///etc/passwd or similar paths. The attacker may also probe internal network resources via HTTP requests. No remote code execution is described, but information disclosure from internal services or the host file system is possible.
Mitigation
The Terrascan project was archived in August 2023 [1] and no patch will be released. Users should assume the software is end-of-life. The recommended mitigation is to stop using Terrascan in server mode and migrate to alternative IaC scanning tools that are actively maintained. If server mode must be used, network access controls (e.g., firewall rules) should restrict the server to trusted IPs only. There is no official fix available.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
News mentions
0No linked articles in our index yet.