CVE-2026-55846: Allure Report: Path Traversal in HTTP Server Allows Arbitrary File Read

June 19, 2026

The built-in HTTP server started by allure serve and allure open is vulnerable to path traversal. The server resolves request URI paths directly against the report directory without normalizing or validating that the resolved path stays within the report directory. An attacker who can reach the server can read any file accessible to the Allure process by sending a request containing ../ sequences.

References

github.com/advisories/GHSA-82cg-3hv7-74gc
github.com/allure-framework/allure2/security/advisories/GHSA-82cg-3hv7-74gc
nvd.nist.gov/vuln/detail/CVE-2026-55846

Code Behaviors & Features

Detect and mitigate CVE-2026-55846 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →