Server-Side Request Forgery Vulnerability in Terrascan by Tenable
CVE-2026-47356

8.7HIGH

Key Information:

Vendor: Tenable
Status: Terrascan
Vendor: CVE Published:; 19 May 2026

What is CVE-2026-47356?

Terrascan versions 1.18.3 and earlier are susceptible to a Server-Side Request Forgery vulnerability through the webhook_url parameter found in the file scan endpoint (POST /v1/{iac}/{iacVersion}/{cloud}/local/file/scan). When operating in server mode, an unauthenticated remote attacker can supply a malicious URL through the webhook_url multipart form parameter. This allows the attacker to receive the complete scan results in JSON format, along with the attacker-specifically provided webhook_token sent as a Bearer token in the Authorization header. Furthermore, the HTTP client used in this scenario is designed to retry upon failure, potentially amplifying the risk. It is important to note that Terrascan was archived in August 2023, and no patches will be forthcoming to address this vulnerability.

Affected Version(s)

Terrascan 0 <= 1.18.3

References

https://github.com/tenable/terrascan

CVSS V4

Score:

8.7

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 19, 2026
Vulnerability Reserved
May 19, 2026

Credit

Tristan Madani (@TristanInSec) from Talence Security

CVE-2026-47356 Data

JSON