Description
Terrascan v1.18.3 and prior are vulnerable to Server-Side Request Forgery (SSRF) via external URL resolution in uploaded IaC templates when running in server mode. When Terrascan parses uploaded ARM templates or CloudFormation templates, it resolves external URLs referenced within those templates via hashicorp/go-getter with all default detectors enabled, including FileDetector. An unauthenticated remote attacker can upload an ARM template containing a templateLink.uri or parametersLink.uri field, or a CloudFormation template containing an AWS::CloudFormation::Stack TemplateURL field, pointing to an attacker-controlled URL. Terrascan will fetch the attacker-controlled URL server-side. Unlike SSRF via the remote scan endpoint, file:// URLs are directly usable without requiring an X-Terraform-Get redirect, enabling local file read. This affects deployments running terrascan in server mode (terrascan server), which binds to 0.0.0.0 with no authentication. Note: Terrascan was archived in August 2023 and no patch will be released.
Published: 2026-05-19
Score: 9.3 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Terrascan versions 1.18.3 and earlier allow an unauthenticated attacker to perform Server‑Side Request Forgery (SSRF) by uploading Infrastructure‑as‑Code templates that reference external URLs. When the server parses ARM or CloudFormation templates, it automatically resolves any templateLink.uri, parametersLink.uri, or TemplateURL fields using the hashicorp/go‑getter library. This resolution fetches the attacker‑controlled URL server‑side, enabling access to public services, internal resources, or local files via file:// schemes. The vulnerability can result in arbitrary data exfiltration or local file read and has a CVSS score of 9.3.

Affected Systems

The affected product is Tenable’s Terrascan, specifically all releases v1.18.3 and prior running in server mode. Server mode binds to 0.0.0.0 with no authentication, allowing anyone who can reach the machine to upload templates and trigger the SSRF. No newer version exists and the project was archived in August 2023, so no patch will be released.

Risk and Exploitability

Based on the description, the vulnerability allows an unauthenticated attacker to upload an Infrastructure‑as‑Code template containing external URL references. The likely attack vector is via direct upload of a malicious template to any endpoint that accepts IaC files; this can be performed by anyone who can reach the server, because Terrascan server mode binds to 0.0.0.0 and has no authentication. The server will resolve these URLs server‑side, leading to a Server‑Side Request Forgery that can reach internal services or local files if file:// is used. The high CVSS score of 9.3 indicates a high severity. Because the EPSS score is not available and the vulnerability is not listed in CISA KEV, the likelihood of exploitation cannot be precisely quantified, but the absence of authentication and the nature of SSRF suggest it could be actively exploited by attackers.

Generated by OpenCVE AI on May 19, 2026 at 17:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Disable Terrascan server mode or restrict it to a secured, authenticated network
  • Configure the scanner to disallow template uploads that contain external URL fields or sanitize these fields before processing
  • Isolate or remove the hashicorp/go‑getter dependency and disable its FileDetector background, or run Terrascan in a restricted environment where file:// resolution can be blocked

Generated by OpenCVE AI on May 19, 2026 at 17:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://github.com/tenable/terrascan cve-icon cve-icon
History

Tue, 19 May 2026 18:15:00 +0000

Type Values Removed Values Added
Title Terrascan Server‑Mode SSRF via Uploaded IaC Templates

Tue, 19 May 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 19 May 2026 16:45:00 +0000

Type Values Removed Values Added
Description Terrascan v1.18.3 and prior are vulnerable to Server-Side Request Forgery (SSRF) via external URL resolution in uploaded IaC templates when running in server mode. When Terrascan parses uploaded ARM templates or CloudFormation templates, it resolves external URLs referenced within those templates via hashicorp/go-getter with all default detectors enabled, including FileDetector. An unauthenticated remote attacker can upload an ARM template containing a templateLink.uri or parametersLink.uri field, or a CloudFormation template containing an AWS::CloudFormation::Stack TemplateURL field, pointing to an attacker-controlled URL. Terrascan will fetch the attacker-controlled URL server-side. Unlike SSRF via the remote scan endpoint, file:// URLs are directly usable without requiring an X-Terraform-Get redirect, enabling local file read. This affects deployments running terrascan in server mode (terrascan server), which binds to 0.0.0.0 with no authentication. Note: Terrascan was archived in August 2023 and no patch will be released.
Weaknesses CWE-610
CWE-73
CWE-918
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: tenable

Published:

Updated: 2026-05-19T17:08:41.193Z

Reserved: 2026-05-19T13:49:09.883Z

Link: CVE-2026-47358

cve-icon Vulnrichment

Updated: 2026-05-19T17:08:28.606Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-05-19T17:16:23.023

Modified: 2026-05-19T17:59:12.383

Link: CVE-2026-47358

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-19T18:00:13Z

Weaknesses