CVE-2026-45727
Deferred Deferred - Pending Action
Path Traversal in CloakBrowser cloakserve

Publication date: 2026-06-01

Last updated on: 2026-06-01

Assigner: GitHub, Inc.

Description
CloakBrowser is a tool to bypass bot detection tests. Prior to version 0.3.28, the cloakserve CDP multiplexer uses the user-supplied fingerprint query parameter directly as a filesystem path component when creating Chrome profile directories. An unauthenticated attacker who can reach the cloakserve port can supply a crafted fingerprint value containing path traversal sequences to resolve user_data_dir outside the configured data_dir. When Chrome fails to start or the process is cleaned up, shutil.rmtree() deletes the traversed path, resulting in arbitrary directory deletion. Additionally, cloakserve bound to 0.0.0.0 by default, making it network-exposed. This issue has been patched in version 0.3.28.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-01
Last Modified
2026-06-01
Generated
2026-06-22
AI Q&A
2026-06-01
EPSS Evaluated
2026-06-20
NVD
CVE-2026-45727
EUVD
EUVD-2026-33724
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
cloakbrowser cloakbrowser to 0.3.27 (inc)
cloakbrowser cloakbrowser to 0.3.28 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-45727 is an unauthenticated path traversal vulnerability in the cloakserve component of CloakBrowser. The issue occurs because the user-supplied fingerprint parameter is directly used as a filesystem path component when creating Chrome profile directories. An attacker can craft a fingerprint value containing path traversal sequences (like "../") to escape the intended directory and cause the service to delete arbitrary directories when cleaning up.

Additionally, cloakserve is bound to 0.0.0.0 by default, exposing it to network access, which allows remote attackers to exploit this vulnerability without authentication.

Compliance Impact

The vulnerability allows an unauthenticated attacker to perform arbitrary directory deletion on the system where CloakBrowser's cloakserve component is running. This could lead to loss or tampering of data stored on the affected system.

Such unauthorized deletion or manipulation of data could impact compliance with data protection regulations like GDPR or HIPAA, which require organizations to ensure the confidentiality, integrity, and availability of sensitive data.

If sensitive or regulated data is stored within the directories accessible to the cloakserve service user, this vulnerability could result in data loss or disruption of services, potentially leading to non-compliance with these standards.

Mitigations such as upgrading to version 0.3.28 or later and restricting network access to the cloakserve port are necessary to reduce the risk and maintain compliance.

Impact Analysis

This vulnerability allows an attacker with network access to the cloakserve port to delete any directories accessible to the service user by exploiting the path traversal flaw. This can lead to loss of important data or disruption of service due to arbitrary directory deletion.

Detection Guidance

This vulnerability can be detected by monitoring network traffic to identify any requests to the cloakserve port that include suspicious fingerprint parameter values containing path traversal sequences such as "../".

Additionally, checking the version of the cloakbrowser software installed can help determine if the system is vulnerable (versions up to and including 0.3.27 are affected).

Suggested commands include:

  • Use network monitoring tools (e.g., tcpdump or Wireshark) to capture traffic on the cloakserve port and filter for requests containing "../" in the fingerprint parameter.
  • Check the installed version of cloakbrowser with a command like `cloakserve --version` or by inspecting the package version.
  • Audit filesystem logs or monitor for unexpected directory deletions in the user_data_dir or parent directories.
Mitigation Strategies

Immediate mitigation steps include upgrading the cloakbrowser software to version 0.3.28 or later, where this vulnerability has been patched.

Additionally, restrict network access to the cloakserve port to prevent unauthenticated attackers from reaching the service, since it is bound to 0.0.0.0 by default and exposed to the network.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45727. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart