CVE-2026-47358: Terrascan SSRF Allows Local File Read in Server Mode

/HIGH /CVSS 7.5/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severityserver-side-request-forgerycwe-73cwe-610cwe-918
CVE-2026-47358: Terrascan SSRF Allows Local File Read in Server Mode

The National Vulnerability Database has disclosed CVE-2026-47358, a high-severity Server-Side Request Forgery (SSRF) vulnerability affecting Terrascan versions 1.18.3 and prior. This flaw enables unauthenticated remote attackers to achieve local file read when Terrascan is deployed in server mode (terrascan server). The vulnerability stems from Terrascan’s handling of external URL resolution within uploaded Infrastructure as Code (IaC) templates, specifically ARM and CloudFormation templates.

Attackers can embed malicious templateLink.uri or parametersLink.uri fields in ARM templates, or AWS::CloudFormation::Stack TemplateURL fields in CloudFormation templates, pointing to attacker-controlled URLs. Terrascan, leveraging hashicorp/go-getter with default detectors including FileDetector, will then fetch these URLs server-side. Crucially, the National Vulnerability Database highlights that file:// URLs are directly usable, bypassing the need for an X-Terraform-Get redirect, which facilitates local file enumeration.

This vulnerability is particularly critical for deployments running Terrascan in server mode, as it binds to 0.0.0.0 without any authentication. Defenders must recognize that Terrascan was archived in August 2023, meaning no official patch will be released. Organizations still using Terrascan in server mode are operating with an unfixable, high-severity vulnerability that permits arbitrary local file access.

What This Means For You

  • If your organization uses Terrascan in server mode (`terrascan server`), you are exposed to unauthenticated remote code execution via local file read. This isn't a theoretical risk; it's a direct path for attackers to exfiltrate sensitive configuration files or credentials. Given Terrascan is end-of-life and unpatched, you need to immediately assess your exposure. Disable server mode or implement strict access controls and network segmentation to prevent external access to Terrascan instances. Alternatively, migrate to a supported and actively maintained IaC security scanner.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1571 Non-Standard Port Command and Control T1071.004 SSRF Initial Access

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

high T1190 Initial Access

CVE-2026-47358: Terrascan Server Mode SSRF Local File Read via ARM Template

Sigma YAML — free preview 
title: CVE-2026-47358: Terrascan Server Mode SSRF Local File Read via ARM Template
id: scw-2026-05-19-ai-1
status: experimental
level: high
description: |
  Detects an attempt to exploit CVE-2026-47358 by uploading an ARM template in Terrascan server mode. The rule specifically looks for POST requests to the '/api/v1/scan' endpoint with 'template_type=arm' and a 'templateLink.uri' parameter, which is characteristic of the SSRF vulnerability allowing local file reads via file:// URIs.
author: SCW Feed Engine (AI-generated)
date: 2026-05-19
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-47358/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: webserver
detection:
  selection:
      cs-uri|contains:
          - '/api/v1/scan'
      cs-method:
          - 'POST'
      cs-uri-query|contains:
          - 'template_type=arm'
  selection_indicators:
      cs-uri-query|contains:
          - 'templateLink.uri='
      condition: selection AND selection_indicators
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-47358 Vulnerability CVE-2026-47358

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 19, 2026 at 20:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-20240 — Denial of Service

CVE-2026-20240 — In Splunk Enterprise versions below 10.2.2, 10.0.5, 9.4.11, and 9.3.12, and Splunk Cloud Platform versions below 10.4.2603.1, 10.3.2512.9, 10.2.2510.11, 10.1.2507.21, 10.0.2503.13, and 9.3.2411.129,...

vulnerabilityCVEmedium-severitydenial-of-servicecwe-20
/SCW Vulnerability Desk /MEDIUM /6.5 /⚑ 2 IOCs /⚙ 2 Sigma

Splunk Enterprise, Cloud Vulnerability Exposes Session Cookies, Sensitive Data

CVE-2026-20239 — In Splunk Enterprise versions below 10.2.2 and 10.0.5, and Splunk Cloud Platform versions below 10.3.2512.8, 10.2.2510.11, 10.1.2507.21, and 10.0.2503.13, a user with a...

vulnerabilityCVEhigh-severitycwe-532
/SCW Vulnerability Desk /HIGH /7.5 /⚑ 5 IOCs /⚙ 4 Sigma

CVE-2026-20238 — In Splunk AI Toolkit versions below 5.7.3, a low-privileged

CVE-2026-20238 — In Splunk AI Toolkit versions below 5.7.3, a low-privileged user that does not hold the 'admin' or 'power' roles could access confidential data...

vulnerabilityCVEmedium-severitycwe-863
/SCW Vulnerability Desk /MEDIUM /6.5 /⚑ 2 IOCs /⚙ 2 Sigma