Description
Terrascan v1.18.3 and prior are vulnerable to Server-Side Request Forgery (SSRF) via the webhook_url parameter in the file scan endpoint (POST /v1/{iac}/{iacVersion}/{cloud}/local/file/scan) when running in server mode. An unauthenticated remote attacker can supply an arbitrary URL as the webhook_url multipart form parameter. After scanning the uploaded file, Terrascan sends an HTTP POST request to the attacker-controlled URL containing the full scan results as a JSON body, with the attacker-supplied webhook_token forwarded as a Bearer token in the Authorization header. The retryable HTTP client retries up to 10 times on failure. This affects deployments running terrascan in server mode (terrascan server), which binds to 0.0.0.0 with no authentication. Note: Terrascan was archived in August 2023 and no patch will be released.
Published: 2026-05-19
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Terrascan server mode exposes a SSRF vulnerability that allows an unauthenticated remote attacker to supply an arbitrary webhook_url via a multipart form POST to the file scan endpoint. After a scan, the server unconditionally posts the entire scan result JSON to that URL, forwarding an attacker‑supplied token as a Bearer header. This data leak makes confidential infrastructure-as-code findings available to an attacker and gives them the ability to target internal hosts or perform blind network probing.

Affected Systems

The affected product is Tenable’s Terrascan, versions 1.18.3 and earlier running in server mode (terrascan server). The server binds to 0.0.0.0 with no authentication and has not been updated since the project was archived in August 2023, so the vulnerability remains present in any existing deployment of these versions.

Risk and Exploitability

The CVSS score is 8.7, indicating high severity. Although the EPSS score is unavailable, the lack of authentication on a service reachable over the network gives attackers a straightforward SSRF vector. The vulnerability is not listed in KEV, but the persistence of the vulnerability and the retry logic (up to 10 attempts) increase the likelihood of successful exploitation, especially against poorly segmented or inadequately protected environments.

Generated by OpenCVE AI on May 19, 2026 at 17:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Move the Terrascan server to a strictly internal network segment or bind it to localhost to prevent external access.
  • Disable or remove the webhook_url functionality, or configure the server to reject any remote webhook URLs.
  • Apply network-layer filtering (firewall or security group rules) to block outbound traffic from the Terrascan process to arbitrary IP addresses that are not part of the trusted scanning workflow.

Generated by OpenCVE AI on May 19, 2026 at 17:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://github.com/tenable/terrascan cve-icon cve-icon
History

Wed, 20 May 2026 14:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:tenable:terrascan:*:*:*:*:*:*:*:*

Wed, 20 May 2026 11:45:00 +0000

Type Values Removed Values Added
First Time appeared Tenable
Tenable terrascan
Vendors & Products Tenable
Tenable terrascan

Tue, 19 May 2026 17:45:00 +0000

Type Values Removed Values Added
Title Terrascan Server‑Mode SSRF via webhook_url Parameter

Tue, 19 May 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 19 May 2026 16:45:00 +0000

Type Values Removed Values Added
Description Terrascan v1.18.3 and prior are vulnerable to Server-Side Request Forgery (SSRF) via the webhook_url parameter in the file scan endpoint (POST /v1/{iac}/{iacVersion}/{cloud}/local/file/scan) when running in server mode. An unauthenticated remote attacker can supply an arbitrary URL as the webhook_url multipart form parameter. After scanning the uploaded file, Terrascan sends an HTTP POST request to the attacker-controlled URL containing the full scan results as a JSON body, with the attacker-supplied webhook_token forwarded as a Bearer token in the Authorization header. The retryable HTTP client retries up to 10 times on failure. This affects deployments running terrascan in server mode (terrascan server), which binds to 0.0.0.0 with no authentication. Note: Terrascan was archived in August 2023 and no patch will be released.
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N'}

Subscriptions

Tenable Terrascan
cve-icon MITRE

Status: PUBLISHED

Assigner: tenable

Published:

Updated: 2026-05-19T17:10:33.161Z

Reserved: 2026-05-19T13:49:09.883Z

Link: CVE-2026-47356

cve-icon Vulnrichment

Updated: 2026-05-19T17:10:27.914Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-19T17:16:22.680

Modified: 2026-05-20T14:23:20.603

Link: CVE-2026-47356

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-20T10:39:14Z

Weaknesses