CVE-2026-47357: SSRF
Terrascan v1.18.3 and prior are vulnerable to Server-Side Request Forgery (SSRF) via the remote_url parameter in the remote directory scan endpoint (POST /v1/{iac}/{iacVersion}/{cloud}/remote/dir/scan) when running in server mode. An unauthenticated remote attacker can supply an attacker-controlled HTTP URL as remote_url with remote_type set to "http". The URL is passed directly to hashicorp/go-getter (v1.7.5) without validation. Go-getter's HttpGetter supports the X-Terraform-Get response header, allowing the attacker's server to redirect the download to a file:// URL, enabling local file read. Additionally, HttpGetter has Netrc set to true, causing it to read ~/.netrc and send stored credentials to attacker-controlled hostnames. This affects deployments running terrascan in server mode (terrascan server), which binds to 0.0.0.0 with no authentication. Note: Terrascan was archived in August 2023 and no patch will be released.
Affected Software
Event History
Frequently Asked Questions
What is the severity of CVE-2026-47357?
CVE-2026-47357 has a severity rating of critical with a score of 9.2.
How do I fix CVE-2026-47357?
To fix CVE-2026-47357, upgrade to Terrascan version 1.18.4 or later.
What type of vulnerability is CVE-2026-47357?
CVE-2026-47357 is classified as a Server-Side Request Forgery (SSRF) vulnerability.
Who is affected by CVE-2026-47357?
Users of Accurics Terrascan version 1.18.3 and prior are affected by CVE-2026-47357.
What can an attacker do with CVE-2026-47357?
An unauthenticated remote attacker can exploit CVE-2026-47357 to supply attacker-controlled URLs via the remote_url parameter.