Server-Side Request Forgery in Terrascan by Tenable
CVE-2026-47358

9.3CRITICAL

Key Information:

Vendor: Tenable
Status: Terrascan
Vendor: CVE Published:; 19 May 2026

What is CVE-2026-47358?

Terrascan versions up to 1.18.3 are vulnerable to a Server-Side Request Forgery (SSRF) due to improper handling of external URL resolutions in uploaded Infrastructure as Code (IaC) templates. An attacker can exploit this vulnerability by uploading an ARM or CloudFormation template that includes a link to a maliciously controlled URL. When Terrascan operates in server mode with default detectors enabled, it can fetch these URLs without authentication, thereby exposing sensitive system details or performing unauthorized actions. Notably, this vulnerability requires no special redirects for local file reads, amplifying its risk. Terrascan has been archived, meaning no further patches will be available to address this issue.

Affected Version(s)

Terrascan 0 <= 1.18.3

References

https://github.com/tenable/terrascan

CVSS V4

Score:

9.3

Severity:

CRITICAL

Confidentiality:

High

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 19, 2026
Vulnerability Reserved
May 19, 2026

Credit

Tristan Madani (@TristanInSec) from Talence Security

CVE-2026-47358 Data

JSON