Allure 2 is a widely used multi-language test reporting tool that generates reports based on test result files. Versions prior to 2.38.0 contain a path traversal vulnerability (CWE-22) identified as CVE-2026-33166. The vulnerability arises because Allure improperly limits pathname resolution when processing attachments referenced in test result files such as -result.json, -container.json, or .plist files. An attacker can craft a malicious test result file that specifies an attachment source path pointing to arbitrary sensitive files on the host filesystem. During report generation, Allure resolves these paths without adequate validation and includes the contents of these sensitive files in the generated report output. This results in an arbitrary file read vulnerability, potentially exposing confidential data such as configuration files, credentials, or private keys. The vulnerability has a CVSS 3.1 base score of 8.6, reflecting its high impact on confidentiality, ease of exploitation without authentication or user interaction, and the scope affecting all systems running vulnerable Allure versions. No known exploits are reported in the wild yet. The issue is resolved in Allure 2.38.0 by implementing proper path validation and restricting file access to intended directories during report generation.

The primary impact of this vulnerability is unauthorized disclosure of sensitive information stored on the host system where Allure 2 is running. Attackers can leverage crafted test result files to read arbitrary files, potentially exposing secrets such as environment variables, API keys, private certificates, or internal configuration files. This can lead to further compromise of the affected environment, including privilege escalation or lateral movement if critical credentials are exposed. Organizations relying on Allure 2 for test reporting in CI/CD pipelines or development environments are at risk of data leakage. Since the vulnerability does not affect integrity or availability directly, the main concern is confidentiality breach. The ease of exploitation without authentication means attackers can exploit this vulnerability remotely if they can supply malicious test results, increasing the risk in multi-tenant or shared build environments.

The most effective mitigation is to upgrade Allure 2 to version 2.38.0 or later, where the vulnerability is fixed. Until upgrade is possible, organizations should implement strict validation and sanitization of all test result files before processing them with Allure. Restricting file system permissions for the Allure process to limit access to sensitive directories can reduce exposure. Additionally, running Allure report generation in isolated or containerized environments with minimal privileges can contain potential damage. Monitoring and auditing test result files for suspicious or unexpected attachment paths can help detect exploitation attempts. Finally, organizations should review and secure sensitive files on hosts running Allure to minimize the impact if exposure occurs.