CVE-2026-47356: SSRF
Terrascan v1.18.3 and prior are vulnerable to Server-Side Request Forgery (SSRF) via the webhook_url parameter in the file scan endpoint (POST /v1/{iac}/{iacVersion}/{cloud}/local/file/scan) when running in server mode. An unauthenticated remote attacker can supply an arbitrary URL as the webhook_url multipart form parameter. After scanning the uploaded file, Terrascan sends an HTTP POST request to the attacker-controlled URL containing the full scan results as a JSON body, with the attacker-supplied webhook_token forwarded as a Bearer token in the Authorization header. The retryable HTTP client retries up to 10 times on failure. This affects deployments running terrascan in server mode (terrascan server), which binds to 0.0.0.0 with no authentication. Note: Terrascan was archived in August 2023 and no patch will be released.
Affected Software
Event History
Frequently Asked Questions
What is the severity of CVE-2026-47356?
The severity of CVE-2026-47356 is rated high, with a score of 8.7.
How does CVE-2026-47356 affect Terrascan?
CVE-2026-47356 affects Terrascan versions v1.18.3 and prior by allowing Server-Side Request Forgery through the webhook_url parameter.
What systems are impacted by CVE-2026-47356?
CVE-2026-47356 impacts systems running Accurics Terrascan and Tenable Terrascan in server mode.
How do I mitigate CVE-2026-47356?
To mitigate CVE-2026-47356, upgrade to Terrascan version v1.18.4 or later.
What potential consequences does CVE-2026-47356 pose?
CVE-2026-47356 allows an unauthenticated remote attacker to exploit SSRF vulnerabilities, potentially leading to sensitive information exposure.