CVE-2026-33166

Name of the Vulnerable Software and Affected Versions Allure versions prior to 2.38.0

Description The Allure report generator is susceptible to an arbitrary file read due to a path traversal issue when processing test results. An attacker can create a malicious result file (such as -result.json, -container.json, or .plist) that references an attachment source pointing to a sensitive file on the host system. During report generation, Allure resolves these paths, potentially including sensitive files in the final report. The issue stems from unvalidated user input used in resolving attachment paths, specifically within functions like Path.resolve() which doesn't normalize the path or verify it remains within the intended results directory. This could allow an attacker to exfiltrate server secrets, cloud credentials, or environment configuration files in CI/CD environments or custom Allure web services. The vulnerable files include Allure2Plugin.java (Line 264), Allure1Plugin.java (Line 328), and XcTestPlugin.java (Line 181). The resolve() function allows absolute paths or "../" sequences to escape the base directory, enabling access to any readable file.

Recommendations Versions prior to 2.38.0 should be updated to version 2.38.0 or later.