CVE-2026-47357: Terrascan SSRF Exposes Local Files, Credentials

/HIGH /CVSS 7.5/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severityserver-side-request-forgerycwe-73cwe-610cwe-918
CVE-2026-47357: Terrascan SSRF Exposes Local Files, Credentials

The National Vulnerability Database has detailed CVE-2026-47357, a critical Server-Side Request Forgery (SSRF) vulnerability in Terrascan v1.18.3 and earlier. This flaw exists in the remote directory scan endpoint (POST /v1/{iac}/{iacVersion}/{cloud}/remote/dir/scan) when Terrascan is deployed in server mode. An unauthenticated attacker can manipulate the remote_url parameter, setting remote_type to “http” and supplying an attacker-controlled HTTP URL.

The vulnerability leverages hashicorp/go-getter (v1.7.5), which Terrascan uses without adequate validation. The attacker’s server can exploit go-getter’s X-Terraform-Get response header to redirect the download to a file:// URL, enabling local file disclosure. Compounding this, go-getter has Netrc enabled by default, leading to the exposure of credentials stored in ~/.netrc to the attacker’s host. This is particularly dangerous for deployments running terrascan server that bind to 0.0.0.0 without authentication. Crucially, Terrascan was archived in August 2023, meaning no official patch will be released for this high-severity (CVSS 7.5) issue.

What This Means For You

  • If your organization uses Terrascan in server mode, especially if exposed publicly or internally without authentication, you are at severe risk. This isn't just a theoretical vulnerability; it's a direct path to local file reads and credential theft via SSRF. Given that Terrascan is unmaintained, you must immediately assess your deployment strategy. Either disable server mode entirely or implement robust network segmentation and strict access controls to prevent unauthenticated access. Assume any credentials stored in `~/.netrc` on affected systems are compromised and revoke them.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1071.001 Web Protocols Command and Control T1537 Transfer Data to Cloud Account Collection

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

critical T1190 Initial Access

CVE-2026-47357: Terrascan SSRF Remote Directory Scan with file:// URL

Sigma YAML — free preview 
title: CVE-2026-47357: Terrascan SSRF Remote Directory Scan with file:// URL
id: scw-2026-05-19-ai-1
status: experimental
level: critical
description: |
  Detects the specific SSRF exploit pattern for CVE-2026-47357 in Terrascan. An attacker crafts a POST request to the '/v1/{iac}/{iacVersion}/{cloud}/remote/dir/scan' endpoint with 'remote_type=http' and a 'remote_url' starting with 'file://'. This indicates an attempt to read local files via the vulnerable go-getter library.
author: SCW Feed Engine (AI-generated)
date: 2026-05-19
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-47357/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: webserver
detection:
  selection:
      cs-method:
          - 'POST'
      uri|startswith:
          - '/v1/'
      uri|endswith:
          - '/remote/dir/scan'
      cs-uri-query|contains:
          - 'remote_type=http'
      cs-uri-query|contains:
          - 'remote_url=file://'
  condition: selection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-47357 Vulnerability CVE-2026-47357

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 19, 2026 at 20:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-20240 — Denial of Service

CVE-2026-20240 — In Splunk Enterprise versions below 10.2.2, 10.0.5, 9.4.11, and 9.3.12, and Splunk Cloud Platform versions below 10.4.2603.1, 10.3.2512.9, 10.2.2510.11, 10.1.2507.21, 10.0.2503.13, and 9.3.2411.129,...

vulnerabilityCVEmedium-severitydenial-of-servicecwe-20
/SCW Vulnerability Desk /MEDIUM /6.5 /⚑ 2 IOCs /⚙ 2 Sigma

Splunk Enterprise, Cloud Vulnerability Exposes Session Cookies, Sensitive Data

CVE-2026-20239 — In Splunk Enterprise versions below 10.2.2 and 10.0.5, and Splunk Cloud Platform versions below 10.3.2512.8, 10.2.2510.11, 10.1.2507.21, and 10.0.2503.13, a user with a...

vulnerabilityCVEhigh-severitycwe-532
/SCW Vulnerability Desk /HIGH /7.5 /⚑ 5 IOCs /⚙ 4 Sigma

CVE-2026-20238 — In Splunk AI Toolkit versions below 5.7.3, a low-privileged

CVE-2026-20238 — In Splunk AI Toolkit versions below 5.7.3, a low-privileged user that does not hold the 'admin' or 'power' roles could access confidential data...

vulnerabilityCVEmedium-severitycwe-863
/SCW Vulnerability Desk /MEDIUM /6.5 /⚑ 2 IOCs /⚙ 2 Sigma