Description
Allure 2 is the version 2.x branch of Allure Report, a multi-language test reporting tool. The Allure report generator prior to version 2.38.0 is vulnerable to an arbitrary file read via path traversal when processing test results. An attacker can craft a malicious result file (-result.json, -container.json, or .plist) that points an attachment source to a sensitive file on the host system. During report generation, Allure will resolve these paths and include the sensitive files in the final report. Version 2.38.0 fixes the issue.
Published: 2026-03-20
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary File Read
Action: Patch
AI Analysis

Impact

Allure Report versions prior to 2.38.0 allow an attacker to read arbitrary files on the host system by injecting path traversal sequences into the attachment source field of test result files. During report generation, the tool resolves these paths and copies the referenced files into the final report, thereby exposing confidential data. This vulnerability is a classic path traversal flaw (CWE-22).

Affected Systems

The flaw affects the Allure Report tool across its 1.x and 2.x branches, including the XCTest Reader component. Any installation of Allure Report before version 2.38.0 is vulnerable. The issue is identified by the Allure Framework for Allure Report products.

Risk and Exploitability

The CVSS score of 8.6 indicates high severity, while the EPSS score below 1 % suggests that exploitation is currently uncommon, and the vulnerability is not included in the CISA KEV catalog. An attacker must supply a crafted test result file; the vulnerability is triggered during report generation and can read any file accessible to the process, potentially exposing sensitive configuration or secret files.

Generated by OpenCVE AI on April 14, 2026 at 21:49 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Allure Report to version 2.38.0 or later.
  • If an upgrade is not immediately possible, validate and sanitize incoming test result files before they are processed.
  • Restrict file‑system permissions for the user running the Allure report generator to limit access to sensitive files.
  • Monitor generated reports for unexpected inclusion of sensitive data that may indicate exploitation attempts.

Generated by OpenCVE AI on April 14, 2026 at 21:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-64hm-gfwq-jppw Allure Report has an Arbitrary File Read via Path Traversal in Attachment Processing (Allure 1, Allure 2, and XCTest Readers)
History

Tue, 14 Apr 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Qameta
Qameta allure Report
CPEs cpe:2.3:a:qameta:allure_report:*:*:*:*:*:*:*:*
Vendors & Products Qameta
Qameta allure Report

Tue, 24 Mar 2026 02:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Allure-framework
Allure-framework allure2
Vendors & Products Allure-framework
Allure-framework allure2

Fri, 20 Mar 2026 21:45:00 +0000

Type Values Removed Values Added
Description Allure 2 is the version 2.x branch of Allure Report, a multi-language test reporting tool. The Allure report generator prior to version 2.38.0 is vulnerable to an arbitrary file read via path traversal when processing test results. An attacker can craft a malicious result file (-result.json, -container.json, or .plist) that points an attachment source to a sensitive file on the host system. During report generation, Allure will resolve these paths and include the sensitive files in the final report. Version 2.38.0 fixes the issue.
Title Allure Report has an Arbitrary File Read via Path Traversal in Attachment Processing (Allure 1, Allure 2, and XCTest Readers)
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 8.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N'}

Subscriptions

Allure-framework Allure2
Qameta Allure Report
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-24T02:04:09.955Z

Reserved: 2026-03-17T21:17:08.888Z

Link: CVE-2026-33166

cve-icon Vulnrichment

Updated: 2026-03-24T02:04:06.012Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-20T22:16:28.660

Modified: 2026-04-14T18:42:27.007

Link: CVE-2026-33166

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T16:45:09Z

Weaknesses