Plattform
java
Komponente
io.qameta.allure:allure-generator
Behoben in
2.38.1
2.38.0
CVE-2026-33166 is a Path Traversal vulnerability discovered in the io.qameta.allure:allure-generator report generator. This flaw allows an attacker to read arbitrary files from the host system by crafting malicious test result files. Versions of Allure report generator prior to 2.38.0 are affected. A fix is available in version 2.38.0.
The primary impact of CVE-2026-33166 is the potential for unauthorized access to sensitive files on the system where the Allure report generator is running. An attacker can craft a malicious -result.json, -container.json, or .plist file containing attachment paths that point to arbitrary locations on the file system. When the Allure report generator processes these files, it will resolve the paths and include the contents of the targeted files in the generated report. This could expose configuration files, source code, database credentials, or other confidential data. The blast radius extends to any system where the vulnerable Allure Report Generator is used to process test results, potentially impacting development, testing, and CI/CD pipelines.
CVE-2026-33166 was publicly disclosed on 2026-03-18. Currently, there are no known public exploits or active campaigns targeting this vulnerability. The EPSS score is pending evaluation. Monitor security advisories and threat intelligence feeds for any updates regarding exploitation attempts.
Organizations using Allure report generator for test automation and continuous integration/continuous delivery (CI/CD) pipelines are at risk. This includes teams using Java-based testing frameworks and those who store test results in shared locations accessible to multiple users. Legacy systems or environments with outdated software management practices are particularly vulnerable.
• java / server:
find /path/to/allure/results -name '*.json' -mtime -7 -print0 | xargs -0 grep -i '..\..' # Check for path traversal attempts• generic web: Inspect Allure report generation logs for unusual file access patterns or errors related to file resolution. • java / supply-chain: Review dependencies for vulnerable versions of allure-generator. Use dependency scanning tools to identify instances of Allure report generator versions <= 2.9.0.
disclosure
Exploit-Status
EPSS
0.02% (5% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-33166 is to upgrade to version 2.38.0 or later of the Allure Report Generator. If upgrading is not immediately feasible, consider implementing input validation on the attachment paths within the report generation process. This could involve whitelisting allowed file extensions or implementing stricter path normalization checks. As a temporary workaround, restrict access to the directories containing test result files to prevent unauthorized modification. After upgrading, confirm the fix by generating a report with a test result file containing a path to a known, non-sensitive file and verifying that the file is not included in the report.
Actualice Allure Report a la versión 2.38.0 o superior. Esta versión corrige la vulnerabilidad de lectura arbitraria de archivos mediante path traversal. La actualización evitará que atacantes puedan acceder a archivos sensibles en el sistema host durante la generación de informes.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-33166 is a Path Traversal vulnerability affecting Allure report generator versions up to 2.9.0. It allows attackers to read arbitrary files from the host system by crafting malicious test result files.
You are affected if you are using Allure report generator versions 2.9.0 or earlier. Check your installed version and upgrade if necessary.
Upgrade to version 2.38.0 or later. If immediate upgrade isn't possible, implement input validation on test result files.
While no active exploitation campaigns have been publicly reported, the vulnerability's ease of exploitation suggests a potential risk.
Refer to the official io.qameta advisory for detailed information and updates: [https://github.com/allure-framework/allure-generator/security/advisories/GHSA-xxxx-xxxx-xxxx](Replace with actual advisory link)
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine pom.xml-Datei hoch und wir sagen dir sofort, ob du betroffen bist.