Platform
java
Component
io.qameta.allure:allure-generator
Fixed in
2.38.1
2.38.0
CVE-2026-33166 is a Path Traversal vulnerability discovered in the io.qameta.allure:allure-generator report generator. This flaw allows an attacker to read arbitrary files from the host system by crafting malicious test result files. Versions of Allure report generator prior to 2.38.0 are affected. A fix is available in version 2.38.0.
The vulnerability lies in how Allure resolves attachment paths within test result files. An attacker can craft a malicious -result.json, -container.json, or .plist file containing specially crafted attachment paths. These paths, when processed during report generation, will be resolved using Path.resolve() without proper sanitization or normalization. This allows the attacker to specify file paths outside of the intended directory, potentially leading to the exposure of sensitive files such as configuration files, credentials, or source code. The blast radius extends to any system where the malicious test results are processed by an unpatched Allure report generator instance.
This vulnerability was publicly disclosed on 2026-03-18. While no active exploitation campaigns have been publicly reported, the ease of crafting malicious test result files suggests a potential for exploitation. The vulnerability is not currently listed on the CISA KEV catalog. The availability of a public proof-of-concept is likely, given the nature of the vulnerability and its public disclosure.
Exploit Status
EPSS
0.02% (5% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to upgrade to version 2.38.0 or later, which addresses the path traversal vulnerability. If upgrading is not immediately feasible, consider implementing input validation on the test result files before processing them with Allure. This could involve whitelisting allowed file extensions or implementing stricter path normalization. Additionally, restrict access to the directory where test results are stored to prevent unauthorized modification of these files. Monitor Allure report generation processes for unusual file access patterns. After upgrading, confirm the fix by attempting to generate a report with a test result file containing a path traversal attempt to a known sensitive file.
Actualice Allure Report a la versión 2.38.0 o superior. Esta versión corrige la vulnerabilidad de lectura arbitraria de archivos mediante path traversal. La actualización evitará que atacantes puedan acceder a archivos sensibles en el sistema host durante la generación de informes.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-33166 is a Path Traversal vulnerability affecting Allure report generator versions up to 2.9.0. It allows attackers to read arbitrary files from the host system by crafting malicious test result files.
You are affected if you are using Allure report generator versions 2.9.0 or earlier. Check your installed version and upgrade if necessary.
Upgrade to version 2.38.0 or later. If immediate upgrade isn't possible, implement input validation on test result files.
While no active exploitation campaigns have been publicly reported, the vulnerability's ease of exploitation suggests a potential risk.
Refer to the official io.qameta advisory for detailed information and updates: [https://github.com/allure-framework/allure-generator/security/advisories/GHSA-xxxx-xxxx-xxxx](Replace with actual advisory link)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your pom.xml file and we'll tell you instantly if you're affected.