Terrascan v1.18.3 and prior are vulnerable to Server-Side Request Forgery (SSRF) via the remoteurl parameter in the remote directory scan endpoint (POST /v1/{iac}/{iacVersion}/{cloud}/remote/dir/scan) when running in server mode. An unauthenticated remote attacker can supply an attacker-controlled HTTP URL as remoteurl with remote_type set to "http". The URL is passed directly to hashicorp/go-getter (v1.7.5) without validation. Go-getter's HttpGetter supports the X-Terraform-Get response header, allowing the attacker's server to redirect the download to a file:// URL, enabling local file read. Additionally, HttpGetter has Netrc set to true, causing it to read ~/.netrc and send stored credentials to attacker-controlled hostnames. This affects deployments running terrascan in server mode (terrascan server), which binds to 0.0.0.0 with no authentication. Note: Terrascan was archived in August 2023 and no patch will be released.
{
"cna_assigner": "tenable",
"cwe_ids": [
"CWE-610",
"CWE-73",
"CWE-918"
],
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/47xxx/CVE-2026-47357.json"
}{
"extracted_events": [
{
"introduced": "0"
},
{
"last_affected": "1.18.3"
}
],
"cpe": "cpe:2.3:a:tenable:terrascan:*:*:*:*:*:*:*:*",
"source": [
"AFFECTED_FIELD",
"CPE_RANGE"
]
}