Description
Terrascan v1.18.3 and prior are vulnerable to Server-Side Request Forgery (SSRF) via the remote_url parameter in the remote directory scan endpoint (POST /v1/{iac}/{iacVersion}/{cloud}/remote/dir/scan) when running in server mode. An unauthenticated remote attacker can supply an attacker-controlled HTTP URL as remote_url with remote_type set to "http". The URL is passed directly to hashicorp/go-getter (v1.7.5) without validation. Go-getter's HttpGetter supports the X-Terraform-Get response header, allowing the attacker's server to redirect the download to a file:// URL, enabling local file read. Additionally, HttpGetter has Netrc set to true, causing it to read ~/.netrc and send stored credentials to attacker-controlled hostnames. This affects deployments running terrascan in server mode (terrascan server), which binds to 0.0.0.0 with no authentication. Note: Terrascan was archived in August 2023 and no patch will be released.
Published: 2026-05-19
Score: 9.3 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Terrascan versions 1.18.3 and earlier, when run in server mode, allow an unauthenticated attacker to send a POST request to the /v1/{iac}/{iacVersion}/{cloud}/remote/dir/scan endpoint with a crafted remote_url parameter pointing to an attacker‑controlled HTTP server. The remote_url is passed directly to the hashicorp/go‑getter library without validation, enabling the library’s HttpGetter to follow redirects that can include a file:// scheme, thereby reading arbitrary local files on the host. If the attacker’s server responds with an X‑Terraform‑Get header, go‑getter will download the file to the requested location, allowing local file read. Additionally, HttpGetter is configured with Netrc enabled, so stored credentials from the server’s ~/.netrc file are sent to any attacker‑controlled hostnames, exposing authentication information.

Affected Systems

The issue affects Tenable’s Terrascan product in all releases prior to 1.18.3 when configured in server mode. Server mode causes the application to bind to 0.0.0.0 and expose a REST API with no authentication, which means any system that publicly exposes the API is directly vulnerable. The source code repository was archived in August 2023 and no further patches or updates will be released.

Risk and Exploitability

The vulnerability carries a CVSS score of 9.3, indicating critical severity. No EPSS data is available and the vulnerability is not listed in CISA KEV. Attackers can reach the SSRF vector from any externally reachable Terrascan instance, so exploitation is likely provided that the service is exposed to the Internet. The lack of authentication and default open binding reduces the effort required for an attack, making the risk more pronounced for exposed deployments.

Generated by OpenCVE AI on May 19, 2026 at 17:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Disable Terrascan server mode or configure it to bind only to the loopback interface to prevent external access.
  • Implement network controls such as firewalls or ingress rules to restrict access to the /v1/*/remote/dir/scan endpoint to trusted internal traffic only.
  • Because no patch will be released, migrate to an actively maintained infrastructure‑as‑code scanning tool.
  • Isolate the Terrascan instance in a protected network segment or VPN and enforce strict egress controls to limit SSRF attempts.

Generated by OpenCVE AI on May 19, 2026 at 17:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://github.com/tenable/terrascan cve-icon cve-icon
History

Tue, 19 May 2026 18:15:00 +0000

Type Values Removed Values Added
Title SSRF in Tenable Terrascan Remote Scan Enables Local File Read and Credential Disclosure

Tue, 19 May 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 19 May 2026 16:45:00 +0000

Type Values Removed Values Added
Description Terrascan v1.18.3 and prior are vulnerable to Server-Side Request Forgery (SSRF) via the remote_url parameter in the remote directory scan endpoint (POST /v1/{iac}/{iacVersion}/{cloud}/remote/dir/scan) when running in server mode. An unauthenticated remote attacker can supply an attacker-controlled HTTP URL as remote_url with remote_type set to "http". The URL is passed directly to hashicorp/go-getter (v1.7.5) without validation. Go-getter's HttpGetter supports the X-Terraform-Get response header, allowing the attacker's server to redirect the download to a file:// URL, enabling local file read. Additionally, HttpGetter has Netrc set to true, causing it to read ~/.netrc and send stored credentials to attacker-controlled hostnames. This affects deployments running terrascan in server mode (terrascan server), which binds to 0.0.0.0 with no authentication. Note: Terrascan was archived in August 2023 and no patch will be released.
Weaknesses CWE-610
CWE-73
CWE-918
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: tenable

Published:

Updated: 2026-05-19T17:09:32.072Z

Reserved: 2026-05-19T13:49:09.883Z

Link: CVE-2026-47357

cve-icon Vulnrichment

Updated: 2026-05-19T17:09:26.177Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-05-19T17:16:22.863

Modified: 2026-05-19T17:59:12.383

Link: CVE-2026-47357

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-19T18:00:13Z

Weaknesses