CVE-2026-45727
Deferred Deferred - Pending Action

Path Traversal in CloakBrowser cloakserve

Vulnerability report for CVE-2026-45727, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-01

Last updated on: 2026-06-01

Assigner: GitHub, Inc.

Description

CloakBrowser is a tool to bypass bot detection tests. Prior to version 0.3.28, the cloakserve CDP multiplexer uses the user-supplied fingerprint query parameter directly as a filesystem path component when creating Chrome profile directories. An unauthenticated attacker who can reach the cloakserve port can supply a crafted fingerprint value containing path traversal sequences to resolve user_data_dir outside the configured data_dir. When Chrome fails to start or the process is cleaned up, shutil.rmtree() deletes the traversed path, resulting in arbitrary directory deletion. Additionally, cloakserve bound to 0.0.0.0 by default, making it network-exposed. This issue has been patched in version 0.3.28.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-01
Last Modified
2026-06-01
Generated
2026-07-12
AI Q&A
2026-06-01
EPSS Evaluated
2026-07-11
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
cloakbrowser cloakbrowser to 0.3.27 (inc)
cloakbrowser cloakbrowser to 0.3.28 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-45727 is an unauthenticated path traversal vulnerability in the cloakserve component of CloakBrowser. The issue occurs because the user-supplied fingerprint parameter is directly used as a filesystem path component when creating Chrome profile directories. An attacker can craft a fingerprint value containing path traversal sequences (like "../") to escape the intended directory and cause the service to delete arbitrary directories when cleaning up.

Additionally, cloakserve is bound to 0.0.0.0 by default, exposing it to network access, which allows remote attackers to exploit this vulnerability without authentication.

Compliance Impact

The vulnerability allows an unauthenticated attacker to perform arbitrary directory deletion on the system where CloakBrowser's cloakserve component is running. This could lead to loss or tampering of data stored on the affected system.

Such unauthorized deletion or manipulation of data could impact compliance with data protection regulations like GDPR or HIPAA, which require organizations to ensure the confidentiality, integrity, and availability of sensitive data.

If sensitive or regulated data is stored within the directories accessible to the cloakserve service user, this vulnerability could result in data loss or disruption of services, potentially leading to non-compliance with these standards.

Mitigations such as upgrading to version 0.3.28 or later and restricting network access to the cloakserve port are necessary to reduce the risk and maintain compliance.

Impact Analysis

This vulnerability allows an attacker with network access to the cloakserve port to delete any directories accessible to the service user by exploiting the path traversal flaw. This can lead to loss of important data or disruption of service due to arbitrary directory deletion.

Detection Guidance

This vulnerability can be detected by monitoring network traffic to identify any requests to the cloakserve port that include suspicious fingerprint parameter values containing path traversal sequences such as "../".

Additionally, checking the version of the cloakbrowser software installed can help determine if the system is vulnerable (versions up to and including 0.3.27 are affected).

Suggested commands include:

  • Use network monitoring tools (e.g., tcpdump or Wireshark) to capture traffic on the cloakserve port and filter for requests containing "../" in the fingerprint parameter.
  • Check the installed version of cloakbrowser with a command like `cloakserve --version` or by inspecting the package version.
  • Audit filesystem logs or monitor for unexpected directory deletions in the user_data_dir or parent directories.
Mitigation Strategies

Immediate mitigation steps include upgrading the cloakbrowser software to version 0.3.28 or later, where this vulnerability has been patched.

Additionally, restrict network access to the cloakserve port to prevent unauthenticated attackers from reaching the service, since it is bound to 0.0.0.0 by default and exposed to the network.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45727. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart