Java
CVE-2026-33166
HIGH
Severity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Lifecycle Timeline
3Blast Radius
ecosystem impact- 1 maven packages depend on io.qameta.allure:allure-generator (1 direct, 0 indirect)
Ecosystem-wide dependent count for version 2.38.0.
DescriptionGitHub Advisory
Summary
The Allure report generator is vulnerable to an arbitrary file read via path traversal when processing test results. An attacker can craft a malicious result file (-result.json, -container.json, or .plist) that points an attachment source to a sensitive file on the host system. During report generation, Allure will resolve these paths and include the sensitive files in the final report.
Details
The vulnerability exists in several plugins where attachment paths are resolved using unvalidated user input. The code uses Path.resolve() without normalizing the path or checking if the resulting file remains within the intended results directory.
Affected Files and Lines:
Allure2Plugin.java (Line 264): final Path attachmentFile = source.resolve(attachment.getSource());
Allure1Plugin.java (Line 328): final Path attachmentFile = source.resolve(attachment.getSource());
XcTestPlugin.java (Line 181): attachments.resolve(String.format("Screenshot_%s.%s", uuid, ext))
Since resolve() allows absolute paths or ../ sequences to escape the base directory, any file readable by the process can be exfiltrated.
PoC
- Create a directory named allure-results.
- Create a file malicious-result.json inside it:
{
"uuid": "poc-traversal",
"name": "Path Traversal PoC",
"status": "passed",
"attachments": [
{
"name": "Sensitive Data",
"source": "../../../../../../../../../../../etc/passwd",
"type": "text/plain"
}
]
}- run
allure generate allure-results -o allure-report - The content of
/etc/passwdwill now be present inallure-report/data/attachments/.
Impact
This is a High Severity vulnerability. In CI/CD environments (GitHub Actions, Jenkins), an attacker submitting a Pull Request can exfiltrate server secrets, cloud credentials, or environment configuration files stored on the runner disk. It also may affect custom Allure web services where users can upload results, allowing them to read arbitrary files from the server's filesystem. Allure TestOps is not affected.
AnalysisAI
Path traversal in Allure report generator for Jenkins allows unauthenticated attackers to read arbitrary files from the host system by crafting malicious test result files with specially crafted attachment paths. The vulnerability stems from insufficient path validation when processing attachments during report generation, enabling sensitive files to be included in generated reports. A patch is not currently available.
Technical ContextAI
The vulnerability affects io.qameta.allure:allure-generator (Maven package) and stems from CWE-22 (Improper Limitation of a Pathname to a Restricted Directory). The root cause exists in multiple plugin files (Allure2Plugin.java line 264, Allure1Plugin.java line 328, XcTestPlugin.java line 181) where Path.resolve() is called on user-controlled attachment source values without path normalization or validation. Java's Path.resolve() behavior treats absolute paths or paths with traversal sequences literally, allowing escape from the intended allure-results directory. When processing -result.json, -container.json, or .plist files, the generator reads attachment paths directly from these files and resolves them against the filesystem without boundary checks, making any file readable by the Allure process accessible to attackers.
RemediationAI
Users should immediately consult the vendor security advisory at https://github.com/allure-framework/allure2/security/advisories/GHSA-64hm-gfwq-jppw for patched versions and upgrade instructions for io.qameta.allure:allure-generator. As interim mitigations until patching is complete, restrict report generation to trusted result files only by implementing input validation before invoking allure generate, isolate report generation processes in sandboxed containers with minimal filesystem access using read-only mounts for sensitive directories, and avoid running Allure generators with elevated privileges or in environments with access to secrets. In CI/CD pipelines processing untrusted pull requests, execute Allure report generation in ephemeral environments without access to production credentials or sensitive configuration files. Organizations using custom Allure web services should immediately disable user upload functionality until the vulnerability is patched.
Oracle Java SE 7 Update 6 and earlier contains multiple sandbox bypass vulnerabilities via the ClassFinder and forName m
Remote code execution in IBM Sterling B2B Integrator, Sterling Integrator, and Tivoli Common Reporting allows unauthenti
Java Runtime Environment sandbox bypass via incorrect image channel verification in 2D component allows remote unauthent
Oracle Java SE JDK/JRE 7 and 6 Update 27 and earlier allows remote code execution with complete system compromise throug
JBoss Seam 2 in Red Hat JBoss EAP 4.3.0 fails to sanitize JBoss Expression Language inputs, allowing remote attackers to
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 up
Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Up
The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allow
Remote unauthenticated attackers can execute arbitrary code on Adobe ColdFusion servers through Java deserialization fla
The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-64hm-gfwq-jppw