Cyber Resilience

CVE-2026-47357

Critical

Published: 19 May 2026

Published
19 May 2026
Modified
20 May 2026
KEV Added
Patch
CVSS Score v4 9.2 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0048 38.0th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-47357 is a critical-severity External Control of File Name or Path (CWE-73) vulnerability in Tenable Terrascan. Its CVSS base score is 9.2 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 38.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Terrascan v1.18.3 and prior are vulnerable to Server-Side Request Forgery (SSRF) via the remote_url parameter in the remote directory scan endpoint (POST /v1/{iac}/{iacVersion}/{cloud}/remote/dir/scan) when running in server mode. An unauthenticated remote attacker can supply an attacker-controlled HTTP URL as remote_url…

more

with remote_type set to "http". The URL is passed directly to hashicorp/go-getter (v1.7.5) without validation. Go-getter's HttpGetter supports the X-Terraform-Get response header, allowing the attacker's server to redirect the download to a file:// URL, enabling local file read. Additionally, HttpGetter has Netrc set to true, causing it to read ~/.netrc and send stored credentials to attacker-controlled hostnames. This affects deployments running terrascan in server mode (terrascan server), which binds to 0.0.0.0 with no authentication. Note: Terrascan was archived in August 2023 and no patch will be released.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
T1552.001 Credentials In Files Credential Access
Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.
Why these techniques?

Unauthenticated SSRF in exposed server directly enables T1190; resulting local file read and ~/.netrc credential theft map to T1005 and T1552.001.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-47358Same product: Tenable Terrascan
CVE-2026-47356Same product: Tenable Terrascan
CVE-2026-2697Same vendor: Tenable
CVE-2024-51961Shared CWE-610, CWE-73
CVE-2025-53912Shared CWE-73
CVE-2025-0111Shared CWE-610, CWE-73
CVE-2025-0211Shared CWE-73
CVE-2019-25472Shared CWE-73
CVE-2025-56589Shared CWE-918
CVE-2026-33354Shared CWE-73

Affected Assets

tenable
terrascan
≤ 1.18.3

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-73 CWE-918

Rejects externally supplied file or resource identifiers that fail validity checks.

addresses: CWE-918

Penetration testing attempts server-side requests to internal resources, identifying SSRF weaknesses for remediation.

addresses: CWE-918

Outbound connections to external resources can be monitored and limited at the boundary, reducing SSRF impact.

addresses: CWE-610

Limits impact of an externally controlled reference to a primary information resource by switching to an identified alternative.

addresses: CWE-918

Detects server-side request forgery through monitoring of unexpected outbound connections.

References