External risk intelligence

Attacker can read sensitive files using Terrascan

CVE advisorySeverity: CRITICAL (CVSS 9.2)

CVE-2026-47358

Tenable's Terrascan, now archived, has a critical flaw allowing unauthenticated attackers to read local files or access internal systems if it's running in server mode. Since no fix is planned, immediate attention is needed to isolate or disable these instances.

3Halo Surface Signal

Server-Side Request Forgery

Tenable Terrascan

1.18.3 and earlier

External exposure likelihood

Halo Surface Signal score for CVE-2026-47358

Terrascan in server mode functions as a network service binding to all interfaces by default without authentication. While primarily intended for internal use within development workflows or CI/CD pipelines, its configuration enables external access. It is plausibly reachable from the internet if deployed in exposed environments, though it is not a public-facing service by design.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Horizon Alert

Summary of the vulnerability and why it matters

Terrascan, when running in server mode, has a flaw that allows attackers to trick it into fetching malicious content from external URLs. This could lead to unauthorized access to sensitive information or potentially other system compromises. Because Terrascan was archived and is no longer maintained, there will be no fix.

  • Can read local files.
  • Exploitable remotely without authentication.
  • Affects deployments running Terrascan in server mode.

Attack Path

How an attacker could exploit the issue

An unauthenticated remote attacker can exploit this vulnerability by uploading a specially crafted Infrastructure as Code (IaC) template to a Terrascan server. This template will contain a malicious URL that Terrascan will fetch server-side, allowing the attacker to read local files on the server or potentially access other internal resources.

  • Server mode is required.
  • Unauthenticated remote access is needed.
  • Malicious IaC template upload.

Live Threat

Current exploitation, exposure, and threat context

This SSRF vulnerability in Terrascan is concerning due to its potential for local file reading and server-side request forgery. While Terrascan has been archived, meaning no official patches will be released, its unauthenticated server mode makes it a tempting target. Attackers might exploit this to access sensitive information or pivot to other internal systems, particularly if deployed in insecure environments.

  • Unauthenticated server mode is vulnerable.
  • Local file read is possible.
  • No official patch will be released.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Focus on detecting and blocking external URL resolution attempts within uploaded IaC templates when running Terrascan in server mode. Since Terrascan is archived and unpatched, prioritize isolating or disabling any instances of Terrascan running in server mode. Monitor network traffic for any outbound connection attempts from Terrascan instances, specifically those originating from template processing.

  • Block external URL resolutions.
  • Isolate or disable Terrascan server instances.
  • Monitor for suspicious outbound connections.

Frequently asked questions

What is Terrascan and what is its primary function?

Terrascan is a tool that scans Infrastructure as Code (IaC) templates, like ARM or CloudFormation, to find security misconfigurations and policy violations. It helps ensure secure cloud infrastructure deployment by analyzing templates before or during the deployment process. Organizations typically integrate Terrascan into CI/CD pipelines or development workflows to uphold security standards.

How does CVE-2026-47358 enable attackers to read files?

This vulnerability is a Server-Side Request Forgery (SSRF) weakness. In Terrascan's server mode, an attacker can submit a crafted IaC template that includes a link to an attacker-controlled URL. Terrascan will then fetch content from this URL server-side, enabling the attacker to read local files if a 'file://' URL is used, without needing an authentication redirect.

What is the weakness class associated with CVE-2026-47358?

CVE-2026-47358 is associated with multiple weakness classes, including CWE-73 (External Control of File Name or Path), CWE-610 (Server-Side Request Forgery), and CWE-918 (Server-Side Request Forgery).

What is the relevance of CVE-2026-47358 given Terrascan's archived status?

Terrascan was archived in August 2023, meaning no security patches will be released. The unauthenticated server mode of Terrascan, which binds to all interfaces by default, makes it a potential target. An attacker could exploit this to read sensitive local files or access internal resources, especially if deployed in an insecure environment. Halo Surface Signal indicates a 'Possible' threat level due to its potential reachability.

What are the recommended responses to mitigate the risks of CVE-2026-47358?

Organizations should focus on detecting and blocking external URL resolutions within uploaded IaC templates when Terrascan operates in server mode. It is advisable to isolate or disable any instances of Terrascan running in server mode due to its unpatched and archived status. Monitoring network traffic for suspicious outbound connections originating from Terrascan instances during template processing is also recommended.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified