PatchSiren cyber security CVE debrief
CVE-2026-47356 tenable CVE debrief
CVE-2026-47356 is a high-severity SSRF issue in Terrascan server mode. An unauthenticated attacker can submit an arbitrary webhook_url to the file scan endpoint and make the server POST full scan results to an attacker-controlled URL, forwarding the supplied webhook_token as a Bearer token. Because affected deployments run as an unauthenticated service bound to 0.0.0.0, exposed instances are directly reachable over the network. Terrascan was archived in August 2023, so no product patch is expected.
- Vendor
- tenable
- Product
- Terrascan
- CVSS
- HIGH 8.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-19
- Original CVE updated
- 2026-05-20
- Advisory published
- 2026-05-19
- Advisory updated
- 2026-05-20
Who should care
Operators of Terrascan server-mode deployments, especially internet-exposed instances; security teams that rely on Terrascan for CI/CD or centralized scanning; platform teams responsible for outbound egress control and API gateways.
Technical summary
NVD lists Terrascan v1.18.3 and prior as vulnerable (CWE-918). In server mode, POST /v1/{iac}/{iacVersion}/{cloud}/local/file/scan accepts a multipart webhook_url parameter. After processing the uploaded file, Terrascan issues an HTTP POST to that URL with the full scan results in the JSON body and forwards webhook_token as a Bearer token in the Authorization header. The retryable HTTP client retries up to 10 times on failure, increasing the number of outbound requests.
Defensive priority
High. This is unauthenticated, network-reachable SSRF in an archived project with no patch path, so exposure reduction and retirement/migration are the primary mitigations.
Recommended defensive actions
- Identify all Terrascan server-mode deployments and confirm whether any are reachable from untrusted networks.
- Remove or disable exposed server-mode instances where possible; migrate to a supported scanning workflow or replacement product.
- Place any unavoidable instance behind authentication and strict network access controls, such as a reverse proxy, VPN, or allowlisted source IPs.
- Restrict outbound egress from Terrascan hosts to only required destinations to reduce SSRF impact.
- Review logs for unauthenticated POSTs to /v1/{iac}/{iacVersion}/{cloud}/local/file/scan and for unexpected outbound webhook traffic.
- Treat any supplied webhook_token as sensitive and rotate or invalidate credentials if suspicious use is detected.
Evidence notes
The CVE record states Terrascan v1.18.3 and prior are vulnerable, with the issue active when running in server mode. NVD classifies the weakness as CWE-918 and lists versionEndIncluding 1.18.3 for the Terrascan CPE. The source reference points to the Terrascan GitHub repository, and the CVE description says the project was archived in August 2023 with no patch to be released.
Official resources
-
CVE-2026-47356 CVE record
CVE.org
-
CVE-2026-47356 NVD detail
NVD
-
Source item URL
nvd_modified
-
Source reference
[email protected] - Product
Publicly disclosed on 2026-05-19T17:16:22.680Z and modified on 2026-05-20T14:23:20.603Z. Terrascan was archived in August 2023, so no vendor patch is expected.