CVE-2026-55846 is a medium-severity path traversal vulnerability in io.qameta.allure:allure-commandline (maven), affecting versions <= 2.38.1. It is fixed in 2.39.0.
Summary The built-in HTTP server started by allure serve and allure open is vulnerable to path traversal. The server resolves request URI paths directly against the report directory without normalizing or validating that the resolved path stays within the report directory. An attacker who can reach the server can read any file accessible to the Allure process by sending a request containing ../ sequences. Details When allure serve or allure open is executed, Commands.setUpServer() creates an HTTP server with a handler that serves files from the report directory: allure-commandline/src/main/java/io/qameta/allure/Commands.java:325-339 On line 330, the handler constructs a file path by concatenating "." with the raw request URI path and resolving it against reportDirectory. For a request to /../../../etc/passwd: exchange.getRequestURI().getPath() returns "/../../../etc/passwd" String concatenation produces "./../../../etc/passwd" reportDirectory.resolve("./../../../etc/passwd") resolves to e.g. /tmp/allure-report/./../../../etc/passwd The OS resolves this to /etc/passwd There is no call to .normalize() followed by a .startsWith(reportDirectory) containment check. The serveFile() method (line 341) reads and returns any regular file without further validation. Additionally, URI.getPath() returns the percent-decoded path, so %2e%2e is decoded to .., enabling traversal via /%2e%2e/%2e%2e/etc/passwd which bypasses clients that normalize .. in raw form. The server defaults to binding on localhost (line 327), which limits remote exploitation. However, the --host option allows users to bind to any interface (e.g., --host 0.0.0.0), which is commonly used in CI/CD and containerized environments. Even when bound to localhost, the vulnerability is exploitable by: Other local users on shared/multi-tenant systems DNS rebinding attacks from malicious web pages visited by the user Adjacent containers in CI/CD environments that share a network namespace PoC Step 1: Start the Allure server (simulating a typical CI/CD scenario with network binding): Step 2: Read /etc/passwd via path traversal: Step 3: Alternative using percent-encoded traversal (works even with clients that normalize ..): Step 4: Read sensitive application files (e.g., environment variables, SSH keys): Each command returns the full contents of the requested file if readable by the Allure process. Impact An attacker who can reach the Allure HTTP server can read any file on the system that the Allure process has permissions to access. This includes: System credentials: /etc/shadow (if running as root), SSH private keys, cloud provider credentials Application secrets: Environment variables via /proc/self/environ, configuration files, API keys Source code and data: Any file on the filesystem accessible to the running user In CI/CD environments where Allure is commonly used, this could expose build secrets, deployment credentials, and other sensitive CI/CD artifacts. The lack of authentication means any client that can reach the server's port can exploit this vulnerability. Recommended Fix Normalize the resolved path and verify it remains within the report directory before serving: The .normalize() call collapses .. sequences, and the .startsWith() check ensures the resolved path is still within the report directory. Requests attempting traversal receive a 403 Forbidden response.
Input manipulates file paths to reach files outside the intended directory, such as configuration or credential files. Typical impact: unauthorized file read or write outside the intended directory.
CVE-2026-55846 has a CVSS score of 6.2 (Medium). The vector is requires local access, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment.
A fixed version is available (2.39.0). Upgrading removes the vulnerable code path.
maven
io.qameta.allure:allure-commandline (<= 2.38.1)io.qameta.allure:allure-commandline → 2.39.0 (maven)Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter instead of chasing every advisory.
Kodem's runtime-powered SCA identifies whether CVE-2026-55846 is reachable in your applications. Explore open-source security for your team.
See if CVE-2026-55846 is reachable in your applications. Get a demo
Upgrade io.qameta.allure:allure-commandline to 2.39.0 or later to resolve this vulnerability.
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
CVE-2026-55846 is a medium-severity path traversal vulnerability in io.qameta.allure:allure-commandline (maven), affecting versions <= 2.38.1. It is fixed in 2.39.0. Input manipulates file paths to reach files outside the intended directory, such as configuration or credential files.
CVE-2026-55846 has a CVSS score of 6.2 (Medium). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
io.qameta.allure:allure-commandline (maven) versions <= 2.38.1 is affected.
Yes. CVE-2026-55846 is fixed in 2.39.0. Upgrade to this version or later.
Whether CVE-2026-55846 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
Upgrade io.qameta.allure:allure-commandline to 2.39.0 or later.