Skip to main content

Java CVE-2026-33166

HIGH
Path Traversal (CWE-22)
2026-03-18 https://github.com/allure-framework/allure2 GHSA-64hm-gfwq-jppw
8.6
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.6 HIGH
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

3
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
Analysis Generated
Mar 18, 2026 - 20:00 vuln.today
CVE Published
Mar 18, 2026 - 19:53 nvd
HIGH 8.6

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 1 maven packages depend on io.qameta.allure:allure-generator (1 direct, 0 indirect)

Ecosystem-wide dependent count for version 2.38.0.

DescriptionGitHub Advisory

Summary

The Allure report generator is vulnerable to an arbitrary file read via path traversal when processing test results. An attacker can craft a malicious result file (-result.json, -container.json, or .plist) that points an attachment source to a sensitive file on the host system. During report generation, Allure will resolve these paths and include the sensitive files in the final report.

Details

The vulnerability exists in several plugins where attachment paths are resolved using unvalidated user input. The code uses Path.resolve() without normalizing the path or checking if the resulting file remains within the intended results directory.

Affected Files and Lines:

Allure2Plugin.java (Line 264): final Path attachmentFile = source.resolve(attachment.getSource());

Allure1Plugin.java (Line 328): final Path attachmentFile = source.resolve(attachment.getSource());

XcTestPlugin.java (Line 181): attachments.resolve(String.format("Screenshot_%s.%s", uuid, ext))

Since resolve() allows absolute paths or ../ sequences to escape the base directory, any file readable by the process can be exfiltrated.

PoC

  1. Create a directory named allure-results.
  2. Create a file malicious-result.json inside it:
{
  "uuid": "poc-traversal",
  "name": "Path Traversal PoC",
  "status": "passed",
  "attachments": [
    {
      "name": "Sensitive Data",
      "source": "../../../../../../../../../../../etc/passwd",
      "type": "text/plain"
    }
  ]
}
  1. run allure generate allure-results -o allure-report
  2. The content of /etc/passwd will now be present in allure-report/data/attachments/.

Impact

This is a High Severity vulnerability. In CI/CD environments (GitHub Actions, Jenkins), an attacker submitting a Pull Request can exfiltrate server secrets, cloud credentials, or environment configuration files stored on the runner disk. It also may affect custom Allure web services where users can upload results, allowing them to read arbitrary files from the server's filesystem. Allure TestOps is not affected.

AnalysisAI

Path traversal in Allure report generator for Jenkins allows unauthenticated attackers to read arbitrary files from the host system by crafting malicious test result files with specially crafted attachment paths. The vulnerability stems from insufficient path validation when processing attachments during report generation, enabling sensitive files to be included in generated reports. A patch is not currently available.

Technical ContextAI

The vulnerability affects io.qameta.allure:allure-generator (Maven package) and stems from CWE-22 (Improper Limitation of a Pathname to a Restricted Directory). The root cause exists in multiple plugin files (Allure2Plugin.java line 264, Allure1Plugin.java line 328, XcTestPlugin.java line 181) where Path.resolve() is called on user-controlled attachment source values without path normalization or validation. Java's Path.resolve() behavior treats absolute paths or paths with traversal sequences literally, allowing escape from the intended allure-results directory. When processing -result.json, -container.json, or .plist files, the generator reads attachment paths directly from these files and resolves them against the filesystem without boundary checks, making any file readable by the Allure process accessible to attackers.

RemediationAI

Users should immediately consult the vendor security advisory at https://github.com/allure-framework/allure2/security/advisories/GHSA-64hm-gfwq-jppw for patched versions and upgrade instructions for io.qameta.allure:allure-generator. As interim mitigations until patching is complete, restrict report generation to trusted result files only by implementing input validation before invoking allure generate, isolate report generation processes in sandboxed containers with minimal filesystem access using read-only mounts for sensitive directories, and avoid running Allure generators with elevated privileges or in environments with access to secrets. In CI/CD pipelines processing untrusted pull requests, execute Allure report generation in ephemeral environments without access to production credentials or sensitive configuration files. Organizations using custom Allure web services should immediately disable user upload functionality until the vulnerability is patched.

More in Java

View all
CVE-2012-4681 CRITICAL POC
9.8 Aug 28

Oracle Java SE 7 Update 6 and earlier contains multiple sandbox bypass vulnerabilities via the ClassFinder and forName m

CVE-2015-7450 CRITICAL POC
9.8 Jan 02

Remote code execution in IBM Sterling B2B Integrator, Sterling Integrator, and Tivoli Common Reporting allows unauthenti

CVE-2013-2465 CRITICAL POC
9.8 Jun 18

Java Runtime Environment sandbox bypass via incorrect image channel verification in 2D component allows remote unauthent

CVE-2011-3544 CRITICAL POC
9.8 Oct 19

Oracle Java SE JDK/JRE 7 and 6 Update 27 and earlier allows remote code execution with complete system compromise throug

CVE-2010-1871 HIGH POC
8.8 Aug 05

JBoss Seam 2 in Red Hat JBoss EAP 4.3.0 fails to sanitize JBoss Expression Language inputs, allowing remote attackers to

CVE-2012-1723 CRITICAL POC
9.8 Jun 16

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 up

CVE-2013-0422 CRITICAL POC
9.8 Jan 10

Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using

CVE-2012-0507 CRITICAL POC
9.8 Jun 07

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Up

CVE-2015-4852 CRITICAL POC
9.8 Nov 18

The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers

CVE-2012-5076 CRITICAL POC
9.8 Oct 16

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allow

CVE-2017-3066 CRITICAL POC
9.8 Apr 27

Remote unauthenticated attackers can execute arbitrary code on Adobe ColdFusion servers through Java deserialization fla

CVE-2012-0391 CRITICAL POC
9.8 Jan 08

The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during

Share

CVE-2026-33166 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy