External risk intelligence

Terrascan can expose customer data and admin control to attackers.

CVE advisorySeverity: CRITICAL (CVSS 9.2)

CVE-2026-47357

An external attacker can exploit Terrascan to read sensitive local files and steal stored credentials. This could allow unauthorized access to connected cloud services and infrastructure, potentially compromising critical business systems.

3Halo Surface Signal

Server-Side Request Forgery

Tenable Terrascan

1.18.3 and earlier

External exposure likelihood

Halo Surface Signal score for CVE-2026-47357

The vulnerability affects an HTTP API exposed when the tool runs in server mode. While typically used within internal development environments, the service lacks authentication and binds to all network interfaces by default, making it potentially reachable from the internet if network controls are insufficient or absent.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Horizon Alert

Summary of the vulnerability and why it matters

Terrascan's server mode has a critical flaw that lets unauthenticated attackers read local files and steal credentials. This issue arises because the tool doesn't properly validate URLs provided for remote scans, allowing redirection to sensitive locations. Since Terrascan is no longer maintained, there will be no fix.

  • Can read local files.
  • Can steal stored credentials.
  • Affects unauthenticated users.

Attack Path

How an attacker could exploit the issue

An unauthenticated remote attacker can exploit this vulnerability by sending a crafted request to a Terrascan server. The attacker's request will include a malicious URL pointing to their controlled server, which can then redirect Terrascan to read local files or leak credentials via the `.netrc` file. This is possible because Terrascan's remote directory scan endpoint lacks proper validation and passes the URL directly to a vulnerable library.

  • No authentication required.
  • Targets remote directory scan endpoint.
  • Exploits `file://` redirection via HTTP headers.
  • Leaks credentials via `.netrc` file.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability allows unauthenticated attackers to read local files or steal credentials by tricking Terrascan into fetching malicious URLs. The SSRF flaw leverages the `go-getter` library, which lacks proper validation for the `remote_url` parameter. Attackers can exploit this by redirecting the fetch to a `file://` URL or by leveraging Netrc to capture credentials.

  • Affects unauthenticated attackers.
  • Targets server mode without authentication.
  • CVE disclosed in 2026.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize isolating or taking offline any instances of Terrascan v1.18.3 and prior running in server mode, as these are unauthenticated and vulnerable to SSRF. Review network egress logs for suspicious connections from Terrascan instances to unexpected internal or external resources, especially those indicating file access or credential exfiltration. Since the project is archived, focus on immediate containment and architectural removal rather than patching.

  • Block network access to the Terrascan API.
  • Remove Terrascan from the environment.
  • Monitor for anomalous file access.

Frequently asked questions

What is Terrascan and what versions are affected by CVE-2026-47357?

Terrascan is a tool for scanning infrastructure-as-code configurations. Versions 1.18.3 and prior are affected by CVE-2026-47357.

How does CVE-2026-47357 enable local file reading?

CVE-2026-47357 is a Server-Side Request Forgery (SSRF) vulnerability. An attacker can send a malicious URL to Terrascan's remote directory scan endpoint, which redirects Terrascan to read local files using a `file://` URL.

What is the weakness class for CVE-2026-47357?

The weakness classes associated with CVE-2026-47357 include CWE-73 (External Control of File Name or Extension), CWE-610 (Server-Side Request Forgery), and CWE-918 (Server-Side Request Forgery).

What is the relevance of CVE-2026-47357 affecting an unauthenticated remote attacker?

The vulnerability is relevant because an unauthenticated remote attacker can exploit it. By providing a malicious URL, the attacker can redirect Terrascan to read local files or leak credentials via the `.netrc` file, especially when Terrascan is running in server mode without authentication.

What steps should be taken to respond to CVE-2026-47357?

Since Terrascan is archived and no patch will be released, the priority is containment. Isolate or take offline any instances of Terrascan v1.18.3 and prior running in server mode. Block network access to the Terrascan API and remove Terrascan from the environment. Monitor for anomalous file access or credential exfiltration.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified