Server-Side Request Forgery in Terrascan by Tenable
CVE-2026-47357

9.3CRITICAL

Key Information:

Vendor: Tenable
Status: Terrascan
Vendor: CVE Published:; 19 May 2026

What is CVE-2026-47357?

The Terrascan tool, up to version 1.18.3, is vulnerable to a Server-Side Request Forgery (SSRF) scenario via the 'remote_url' parameter in its remote directory scan endpoint when deployed in server mode. This flaw allows an unauthenticated attacker to specify an arbitrary HTTP URL which, due to insufficient validation, gets executed by the underlying go-getter module. This execution can lead to a malicious server redirecting the request to a 'file://' URL, resulting in potential local file disclosure. Additionally, the vulnerability compromises stored credentials as HttpGetter is configured to read from the '.netrc' file, exposing sensitive data to any attacker controlling the target host. Notably, Terrascan has been archived as of August 2023, hence no further security patches will be available.

Affected Version(s)

Terrascan 0 <= 1.18.3

References

https://github.com/tenable/terrascan

CVSS V4

Score:

9.3

Severity:

CRITICAL

Confidentiality:

High

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 19, 2026
Vulnerability Reserved
May 19, 2026

Credit

Tristan Madani (@TristanInSec) from Talence Security

CVE-2026-47357 Data

JSON