CVE-2026-47357

Name of the Vulnerable Software and Affected Versions Terrascan versions prior to 1.18.4

Description When running in server mode, the software is susceptible to Server-Side Request Forgery (SSRF) through the remote url parameter in the "POST /v1/{iac}/{iacVersion}/{cloud}/remote/dir/scan" endpoint. An unauthenticated remote attacker can provide a controlled HTTP URL as remote url while setting remote type to "http". This URL is processed by the hashicorp/go-getter library without validation. The library's HttpGetter supports the X-Terraform-Get response header, which allows a malicious server to redirect the download to a file:// URL, resulting in local file read. Furthermore, because Netrc is enabled, the system may read ~/.netrc and transmit stored credentials to attacker-controlled hostnames. This issue specifically impacts deployments where the server binds to 0.0.0.0 without authentication.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.