CVE-2026-33166
Published: 20 March 2026
Summary
CVE-2026-33166 is a high-severity Path Traversal (CWE-22) vulnerability in Qameta Allure Report. Its CVSS base score is 8.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked at the 7.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-10 requires validation of untrusted inputs like attachment paths in malicious test result files to block path traversal and prevent arbitrary file reads.
SI-2 mandates timely flaw remediation by upgrading Allure Report generator to version 2.38.0 or later to fix the path traversal vulnerability.
AC-6 least privilege limits the Allure process to minimal file system access, preventing disclosure of sensitive host files via path traversal even if input validation fails.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal in result file processing directly enables arbitrary local file reads (T1005), including credential files (T1552.001) that are then embedded in generated reports.
NVD Description
Allure 2 is the version 2.x branch of Allure Report, a multi-language test reporting tool. The Allure report generator prior to version 2.38.0 is vulnerable to an arbitrary file read via path traversal when processing test results. An attacker can…
more
craft a malicious result file (-result.json, -container.json, or .plist) that points an attachment source to a sensitive file on the host system. During report generation, Allure will resolve these paths and include the sensitive files in the final report. Version 2.38.0 fixes the issue.
Deeper analysisAI
CVE-2026-33166 is a path traversal vulnerability (CWE-22) affecting the Allure Report generator in Allure 2, the 2.x branch of a multi-language test reporting tool. Versions prior to 2.38.0 are vulnerable to arbitrary file reads when processing test result files. An attacker can craft a malicious result file, such as those with extensions -result.json, -container.json, or .plist, that uses path traversal to reference sensitive files on the host system. During report generation, Allure resolves these paths and incorporates the contents of the targeted files into the final report.
The vulnerability can be exploited remotely by unauthenticated attackers with network access, requiring low complexity and no user interaction, as reflected in its CVSS v3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N). Exploitation occurs when a victim processes attacker-supplied test results, such as in CI/CD pipelines or shared testing environments, allowing the attacker to disclose sensitive host files like configuration data, credentials, or system logs embedded in the generated report.
The official GitHub security advisory (GHSA-64hm-gfwq-jppw) for the Allure Framework confirms the issue and states that upgrading to version 2.38.0 fixes the vulnerability by addressing the improper path resolution during attachment processing.
Details
- CWE(s)