PatchSiren cyber security CVE debrief
CVE-2026-47357 tenable CVE debrief
CVE-2026-47357 describes an unauthenticated server-side request forgery flaw in Terrascan v1.18.3 and prior when the remote directory scan endpoint is used in server mode. A remote attacker can supply an attacker-controlled HTTP URL through remote_url with remote_type set to "http". The supplied URL is passed to hashicorp/go-getter without validation, and the redirect handling described in the record allows an attacker-controlled response to steer the fetch toward a file:// target, creating local file read risk. The same flow also exposes the possibility of credential leakage because HttpGetter is described as using Netrc, which can cause credentials from ~/.netrc to be sent to attacker-controlled hostnames. The supplied record notes that Terrascan was archived in August 2023 and that no patch will be released.
- Vendor
- tenable
- Product
- Terrascan
- CVSS
- CRITICAL 9.2
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-19
- Original CVE updated
- 2026-05-20
- Advisory published
- 2026-05-19
- Advisory updated
- 2026-05-20
Who should care
Teams running Terrascan in server mode, especially if the service is reachable by untrusted users or exposed on a network boundary. Security and platform teams should also care if the host has sensitive local files or ~/.netrc credentials present.
Technical summary
The vulnerable path is POST /v1/{iac}/{iacVersion}/{cloud}/remote/dir/scan in server mode. When remote_type is "http", remote_url is passed directly into go-getter v1.7.5 without sufficient validation. According to the supplied description, go-getter's HttpGetter honors the X-Terraform-Get response header, which can redirect retrieval to a file:// URL and thereby enable local file access. The description also states that HttpGetter has Netrc enabled, so credentials stored in ~/.netrc may be sent to attacker-controlled hostnames. NVD lists the issue as CVE-2026-47357 with CVSS 4.0 vector AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N and CWE-918 as the primary weakness.
Defensive priority
Critical. This is network-reachable, unauthenticated, and impacts server-mode deployments with potential file disclosure and credential exposure. Because the upstream project is archived and no patch is expected, containment and migration should be treated as urgent.
Recommended defensive actions
- Do not expose Terrascan server mode to untrusted networks; restrict access with network controls immediately.
- If server mode is not required, disable it or remove the service from production use.
- Block or tightly control outbound requests from the Terrascan host to untrusted destinations.
- Treat remote_url input as untrusted and avoid allowing attacker-controlled URLs in this workflow.
- Review hosts running Terrascan for sensitive local files and ~/.netrc contents; rotate any credentials that may have been exposed.
- Plan migration away from archived Terrascan, since the supplied record states no patch will be released.
- Monitor logs for unexpected remote directory scan requests and unusual outbound fetches associated with the affected endpoint.
Evidence notes
This debrief is based on the supplied CVE record, the NVD reference data, and the linked Terrascan project reference. The record identifies Terrascan v1.18.3 and prior as affected, describes the remote_url / remote_type "http" SSRF path in server mode, and states that the project was archived in August 2023 with no patch planned. NVD records the CVSS and CWE-918 classification.
Official resources
-
CVE-2026-47357 CVE record
CVE.org
-
CVE-2026-47357 NVD detail
NVD
-
Source item URL
nvd_modified
-
Source reference
[email protected] - Product
Published 2026-05-19 and modified 2026-05-20 per the supplied CVE timeline. The supplied description also notes that Terrascan was archived in August 2023 and no patch will be released.