CVE-2026-33166: Allure Report has an Arbitrary File Read via Path Traversal in Attachment Processing (Allure 1, Allure 2, and XCTest Readers)

March 18, 2026 (updated March 25, 2026)

The Allure report generator is vulnerable to an arbitrary file read via path traversal when processing test results. An attacker can craft a malicious result file (-result.json, -container.json, or .plist) that points an attachment source to a sensitive file on the host system. During report generation, Allure will resolve these paths and include the sensitive files in the final report.

References

github.com/advisories/GHSA-64hm-gfwq-jppw
github.com/allure-framework/allure2
github.com/allure-framework/allure2/security/advisories/GHSA-64hm-gfwq-jppw
nvd.nist.gov/vuln/detail/CVE-2026-33166

Code Behaviors & Features

Detect and mitigate CVE-2026-33166 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →