HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-45727Published Modified CNA GitHub_M

CVE-2026-45727: CloakBrowser: Unauthenticated path traversal via fingerprint parameter in cloakserve leads to arbitrary directory deletion

CloakBrowser is a tool to bypass bot detection tests. Prior to version 0.3.28, the cloakserve CDP multiplexer uses the user-supplied fingerprint query parameter directly as a filesystem path component when creating Chrome profile directories. An unauthenticated attacker who can reach the cloakserve port can supply a crafted fingerprint value containing path traversal sequences to resolve user_data_dir outside the configured data_dir. When Chrome fails to start or the process is cleaned up, shutil.rmtree() deletes the traversed path, resulting in arbitrary directory deletion. Additionally, cloakserve bound to 0.0.0.0 by default, making it network-exposed. This issue has been patched in version 0.3.28.

Metrics

CVSS v4.0
8.8
Severity
HIGH
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A path traversal vulnerability in CloakBrowser's cloakserve CDP multiplexer allows an unauthenticated attacker to delete arbitrary directories on the host filesystem. The attacker reaches the service over the network (cloakserve binds to 0.0.0.0 by default) and supplies a crafted fingerprint query parameter containing path traversal sequences, causing shutil.rmtree() to delete directories outside the intended data directory. Successful exploitation overwrites or destroys filesystem content, potentially taking down dependent services or the host entirely. A patched-image rebuild at version 0.3.28 is available on HarborGuard for environments running an affected version of CloakBrowser.

HarborGuard Coverage

Detection

Detection of CVE-2026-45727 is available across every HarborGuard environment; the CVE is ingested from upstream feeds within minutes of publication and matched against customer images in both registries and active CI/CD pipelines, including custom-built images that package cloakserve.

Available
Triage

HarborGuard is capable of scoring this CVE at CVSS 8.8 HIGH and weighting that score against each environment's compliance policy to determine urgency; findings are routed to the appropriate team inbox within each customer organization based on image ownership and policy configuration.

Available
Patch

Because no fix was published at the time of this record, HarborGuard re-checks the upstream advisory on every ingest cycle and will make a patched-image rebuild available at version 0.3.28 the moment the upstream fix is confirmed; for customers with auto-remediation enabled, that rebuild triggers an automated regression run and a PR opened against affected workloads without manual intervention.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the cloakserve port over the network; cloakserve binds to 0.0.0.0 by default, making it directly exposed on all interfaces.

  • AuthenticationNot required

    No credentials or session token are needed; the fingerprint parameter is accepted from any unauthenticated HTTP request.

  • Victim interactionNot required

    The exploit is fully server-side; no user action or social-engineering step is required to trigger the vulnerability.

  • Attack complexityDetail

    Exploitation is reliable and condition-free; the attacker only needs to supply a crafted path traversal string in the fingerprint query parameter with no race conditions or environmental dependencies.

Blast Radius

  • Deletes arbitrary directories on the host filesystem by escaping the configured data_dir boundary through path traversal sequences.
  • Destroys Chrome profile directories or any other directory reachable by the cloakserve process user, including application data and configuration trees.
  • Causes service disruption to cloakserve and any dependent process whose working files reside in a deleted directory.

How HarborGuard Handles This

Available on HarborGuard: detection of CVE-2026-45727 is active across customer image registries and pipelines, with results scored at CVSS 8.8 HIGH and routed per each environment's compliance policy. For customers running CloakBrowser images below 0.3.28, a patched-image rebuild at version 0.3.28 becomes available in HarborGuard as soon as the upstream fix is confirmed published. For customers with auto-remediation enabled, that rebuild is followed by an automated regression run and a PR opened against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in those environments. While no upstream fix was listed at time of publication, HarborGuard re-checks the advisory each ingest cycle. In the interim, compensating controls worth considering include restricting network access to the cloakserve port via network policy (preventing unauthenticated remote access), rebinding cloakserve to a loopback interface rather than 0.0.0.0, and applying filesystem-level restrictions on the process user to limit the blast radius of any rmtree call.

See how HarborGuard automates this
Affected packages
  • CloakHQ / CloakBrowser
    < 0.3.28
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N
References