PatchSiren cyber security CVE debrief
CVE-2026-47358 tenable CVE debrief
CVE-2026-47358 is a critical server-side request forgery issue in Terrascan v1.18.3 and earlier when it runs in server mode. An unauthenticated attacker can upload crafted ARM or CloudFormation templates that reference external URLs, causing Terrascan to retrieve those resources server-side. The issue is especially serious because file:// URLs can be used directly in this context, creating a local file read risk. The project is archived and no patch will be released.
- Vendor
- tenable
- Product
- Terrascan
- CVSS
- CRITICAL 9.2
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-19
- Original CVE updated
- 2026-05-20
- Advisory published
- 2026-05-19
- Advisory updated
- 2026-05-20
Who should care
Teams operating Terrascan in server mode, especially deployments exposed on 0.0.0.0 without authentication; security teams reviewing IaC upload workflows; organizations that rely on Terrascan to process untrusted ARM or CloudFormation templates.
Technical summary
NVD reports that Terrascan resolves external URLs in uploaded IaC templates using hashicorp/go-getter with default detectors enabled, including FileDetector. In server mode, an unauthenticated remote user can submit an ARM template containing templateLink.uri or parametersLink.uri, or a CloudFormation template containing AWS::CloudFormation::Stack TemplateURL, and Terrascan will fetch the referenced URL server-side. The vulnerability is classified as CWE-918 (SSRF), with related references to CWE-73 and CWE-610 in the source metadata. NVD lists affected versions through 1.18.3.
Defensive priority
Immediate for any exposed Terrascan server-mode deployment processing untrusted templates. Because the product is archived and no fix is expected, mitigation depends on reducing exposure, restricting access, and disabling or isolating the affected workflow.
Recommended defensive actions
- Do not expose Terrascan server mode to untrusted networks or unauthenticated users.
- Restrict access to the upload and scan endpoints with strong authentication, network controls, or both.
- Treat uploaded ARM and CloudFormation templates as untrusted input and isolate the scanning environment from sensitive internal services and local files.
- Block or tightly control outbound network access from the Terrascan process or container where feasible.
- Review whether server mode is needed at all; if not, disable it and use a safer alternative workflow.
- Inventory deployments still running Terrascan 1.18.3 or earlier and prioritize retirement or replacement since no vendor patch will be released.
Evidence notes
This debrief is based on the supplied CVE description, NVD metadata, and official links. The source corpus states that Terrascan v1.18.3 and prior are vulnerable, that the issue occurs in server mode, and that the project was archived in August 2023 with no patch planned. CVSS 4.0 is 9.2/Critical per the supplied record.
Official resources
-
CVE-2026-47358 CVE record
CVE.org
-
CVE-2026-47358 NVD detail
NVD
-
Source item URL
nvd_modified
-
Source reference
[email protected] - Product
Publicly disclosed on 2026-05-19 per the supplied CVE record and NVD metadata. The source description notes that Terrascan was archived in August 2023 and no patch will be released.