Cyber Resilience

CVE-2026-33166

HighPublic PoC

Published: 20 March 2026

Published
20 March 2026
Modified
14 April 2026
KEV Added
Patch
CVSS Score v3.1 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
EPSS Score 0.0054 41.1th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-33166 is a high-severity Path Traversal (CWE-22) vulnerability in Qameta Allure Report. Its CVSS base score is 8.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked at the 41.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-33166 is a path traversal vulnerability (CWE-22) affecting the Allure Report generator in Allure 2, the 2.x branch of a multi-language test reporting tool. Versions prior to 2.38.0 are vulnerable to arbitrary file reads when processing test result files. An attacker can craft a malicious result file, such as those with extensions -result.json, -container.json, or .plist, that uses path traversal to reference sensitive files on the host system. During report generation, Allure resolves these paths and incorporates the contents of the targeted files into the final report.

The vulnerability can be exploited remotely by unauthenticated attackers with network access, requiring low complexity and no user interaction, as reflected in its CVSS v3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N). Exploitation occurs when a victim processes attacker-supplied test results, such as in CI/CD pipelines or shared testing environments, allowing the attacker to disclose sensitive host files like configuration data, credentials, or system logs embedded in the generated report.

The official GitHub security advisory (GHSA-64hm-gfwq-jppw) for the Allure Framework confirms the issue and states that upgrading to version 2.38.0 fixes the vulnerability by addressing the improper path resolution during attachment processing.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Allure 2 is the version 2.x branch of Allure Report, a multi-language test reporting tool. The Allure report generator prior to version 2.38.0 is vulnerable to an arbitrary file read via path traversal when processing test results. An attacker can…

more

craft a malicious result file (-result.json, -container.json, or .plist) that points an attachment source to a sensitive file on the host system. During report generation, Allure will resolve these paths and include the sensitive files in the final report. Version 2.38.0 fixes the issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
T1552.001 Credentials In Files Credential Access
Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.
Why these techniques?

Path traversal in result file processing directly enables arbitrary local file reads (T1005), including credential files (T1552.001) that are then embedded in generated reports.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-4659Shared CWE-22
CVE-2026-23491Shared CWE-22
CVE-2025-1035Shared CWE-22
CVE-2026-0651Shared CWE-22
CVE-2026-24849Shared CWE-22
CVE-2025-2292Shared CWE-22
CVE-2026-26985Shared CWE-22
CVE-2026-35668Shared CWE-22
CVE-2020-36939Shared CWE-22
CVE-2026-26217Shared CWE-22

Affected Assets

qameta
allure report
≤ 2.38.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-10 requires validation of untrusted inputs like attachment paths in malicious test result files to block path traversal and prevent arbitrary file reads.

prevent

SI-2 mandates timely flaw remediation by upgrading Allure Report generator to version 2.38.0 or later to fix the path traversal vulnerability.

prevent

AC-6 least privilege limits the Allure process to minimal file system access, preventing disclosure of sensitive host files via path traversal even if input validation fails.

References