Allure 2 is a multi-language test reporting tool widely used to generate detailed reports from automated test results. Versions prior to 2.38.0 contain a path traversal vulnerability (CVE-2026-33166, CWE-22) that arises from improper validation of file paths in test result attachments. Specifically, an attacker can craft malicious test result files (such as -result.json, -container.json, or .plist files) that specify attachment sources pointing to arbitrary files on the host filesystem. During report generation, Allure resolves these paths without sufficient restriction, causing it to read and embed the contents of sensitive files into the generated report. This leads to unauthorized disclosure of potentially sensitive information stored on the host system. The vulnerability has a CVSS 3.1 base score of 8.6, reflecting its high impact on confidentiality, ease of remote exploitation without authentication or user interaction, and the ability to affect multiple systems using vulnerable versions. While no known exploits are currently reported in the wild, the flaw represents a significant risk for organizations relying on Allure 2 for test reporting. The issue is resolved in version 2.38.0 by implementing proper path validation and restrictions to prevent traversal outside allowed directories.

The primary impact of CVE-2026-33166 is unauthorized disclosure of sensitive files on systems running vulnerable versions of Allure 2. Attackers can exfiltrate confidential data such as configuration files, credentials, source code, or other sensitive artifacts by embedding them into test reports. This compromises confidentiality and may lead to further attacks if sensitive information is exposed. Since Allure is used in CI/CD pipelines and development environments, exposure could affect intellectual property and internal infrastructure details. The vulnerability does not affect data integrity or availability directly but can undermine trust in test reporting and leak critical information. Organizations worldwide using Allure 2 prior to 2.38.0 in their software development lifecycle are at risk, especially those handling sensitive or regulated data.

To mitigate this vulnerability, organizations should immediately upgrade Allure 2 to version 2.38.0 or later, where the path traversal flaw is fixed. Additionally, implement strict validation and sanitization of all test result files before processing, ensuring attachment paths do not reference files outside designated directories. Restrict file system permissions for the Allure report generation process to limit access to sensitive files. Employ network segmentation and access controls to limit who can submit test results to the reporting system. Monitor logs for unusual file access patterns during report generation. Incorporate security scanning of test artifacts to detect maliciously crafted files. Finally, educate development and QA teams about the risks of processing untrusted test data and enforce secure handling practices.