CVE-2026-33166

HIGH

Allure Report <2.38.0 Attachment Processing - Arbitrary File Read

Title source: manual

Description

Allure 2 is the version 2.x branch of Allure Report, a multi-language test reporting tool. The Allure report generator prior to version 2.38.0 is vulnerable to an arbitrary file read via path traversal when processing test results. An attacker can craft a malicious result file (-result.json, -container.json, or .plist) that points an attachment source to a sensitive file on the host system. During report generation, Allure will resolve these paths and include the sensitive files in the final report. Version 2.38.0 fixes the issue.

References (1)

Core 1

Core References

X_Refsource_Confirm x_refsource_confirm

https://github.com/allure-framework/allure2/security/advisories/GHSA-64hm-gfwq-jppw

Scores

CVSS v3 8.6

EPSS 0.0054

EPSS Percentile 41.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-22

Status published

Products (3)

allure-framework/allure2 < 2.38.0

io.qameta.allure/allure-generator 0 - 2.38.0Maven

qameta/allure_report < 2.38.0

Published Mar 20, 2026

Tracked Since Mar 21, 2026