CVE-2026-45727 Overview
CVE-2026-45727 is a path traversal vulnerability [CWE-22] in CloakBrowser, a tool designed to bypass bot detection tests. The flaw affects the cloakserve Chrome DevTools Protocol (CDP) multiplexer in versions prior to 0.3.28. The component uses the user-supplied fingerprint query parameter directly as a filesystem path component when creating Chrome profile directories. An unauthenticated attacker can supply crafted traversal sequences to resolve user_data_dir outside the configured data_dir. When Chrome fails to start or the process is cleaned up, shutil.rmtree() deletes the traversed path, causing arbitrary directory deletion. The service binds to 0.0.0.0 by default, exposing it to the network.
Critical Impact
Unauthenticated network attackers can trigger deletion of arbitrary directories on the host running cloakserve, causing data loss and service disruption.
Affected Products
- CloakBrowser cloakserve CDP multiplexer prior to version 0.3.28
- Deployments using default 0.0.0.0 bind configuration
- Any host running CloakBrowser with network-reachable cloakserve ports
Discovery Timeline
- 2026-06-01 - CVE CVE-2026-45727 published to NVD
- 2026-06-02 - Last updated in NVD database
Technical Details for CVE-2026-45727
Vulnerability Analysis
The vulnerability resides in the cloakserve CDP multiplexer component of CloakBrowser. The service accepts a fingerprint query parameter from clients and uses that value directly when constructing the path for user_data_dir, the Chrome profile directory. Because the parameter undergoes no normalization or containment check against the configured data_dir, traversal sequences such as ../ resolve outside the intended base directory.
The deletion primitive triggers during cleanup. When Chrome fails to launch or the session terminates, cloakserve calls shutil.rmtree() against the path it previously computed. Because the resolved path can point anywhere the service process has write access, the cleanup routine recursively removes attacker-chosen directories. The default network exposure on 0.0.0.0 removes any requirement for local access or authentication.
Root Cause
The root cause is missing input validation on the fingerprint parameter combined with unsafe path composition. The code path concatenates user input into a filesystem path without canonicalizing the result or verifying it stays within data_dir. A secondary contributing factor is the insecure default bind address, which exposes the management interface beyond the local host.
Attack Vector
The attack vector is network-based and requires no authentication or user interaction. An attacker reachable to the cloakserve port issues a request with a fingerprint value containing path traversal sequences. The attacker then forces the Chrome launch to fail or waits for normal cleanup. The subsequent shutil.rmtree() call deletes the traversed directory tree under the privileges of the cloakserve process.
No verified public exploit code was identified at publication. See the GitHub Security Advisory for vendor technical details.
Detection Methods for CVE-2026-45727
Indicators of Compromise
- HTTP requests to cloakserve containing .., %2e%2e, or encoded traversal sequences in the fingerprint query parameter
- Unexpected disappearance of directories on hosts running CloakBrowser
- cloakserve process logs showing Chrome launch failures followed by rmtree activity on paths outside the configured data_dir
- Inbound connections to cloakserve ports from non-trusted source addresses
Detection Strategies
- Inspect web access logs for fingerprint query parameters containing path separators or relative traversal tokens
- Monitor filesystem audit events for unlink and rmdir operations originating from the cloakserve process on paths outside data_dir
- Correlate Chrome process spawn failures with subsequent recursive deletion activity by the parent service
Monitoring Recommendations
- Enable filesystem auditing on directories adjacent to and above the configured data_dir
- Capture and retain HTTP request logs for the cloakserve listener, including full query strings
- Alert on cloakserve binding to non-loopback interfaces in production inventories
How to Mitigate CVE-2026-45727
Immediate Actions Required
- Upgrade CloakBrowser to version 0.3.28 or later on all hosts running cloakserve
- Restrict the cloakserve bind address to 127.0.0.1 or a trusted management interface
- Place network ACLs or host firewall rules in front of cloakserve ports to deny untrusted sources
- Audit the host for unexpected directory deletions that may indicate prior exploitation
Patch Information
The maintainers patched the vulnerability in CloakBrowser 0.3.28. The fix addresses both the path traversal in the fingerprint parameter and the default network exposure. Refer to the GitHub Security Advisory GHSA-mf33-gv72-w2h5 for the authoritative fix description.
Workarounds
- Bind cloakserve to 127.0.0.1 instead of 0.0.0.0 until the upgrade is complete
- Run cloakserve under a dedicated low-privilege account whose filesystem access is limited to data_dir
- Place cloakserve behind a reverse proxy that strips or validates the fingerprint parameter against an allowlist
# Configuration example: restrict bind address and isolate data directory
# Example only - consult vendor documentation for current flags
cloakserve --host 127.0.0.1 --port 9223 --data-dir /var/lib/cloakbrowser/profiles
# Host firewall example (Linux nftables) to block external access
nft add rule inet filter input tcp dport 9223 iifname != "lo" drop
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
