Description
CloakBrowser is a tool to bypass bot detection tests. Prior to version 0.3.28, the cloakserve CDP multiplexer uses the user-supplied fingerprint query parameter directly as a filesystem path component when creating Chrome profile directories. An unauthenticated attacker who can reach the cloakserve port can supply a crafted fingerprint value containing path traversal sequences to resolve user_data_dir outside the configured data_dir. When Chrome fails to start or the process is cleaned up, shutil.rmtree() deletes the traversed path, resulting in arbitrary directory deletion. Additionally, cloakserve bound to 0.0.0.0 by default, making it network-exposed. This issue has been patched in version 0.3.28.
Published: 2026-06-01
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

CloakBrowser’s cloakserve CDP multiplexer incorrectly uses the user-supplied fingerprint query parameter as a directly concatenated filesystem path component when creating Chrome profile directories. The vulnerability is a classic directory traversal flaw, classified as CWE‑22, that allows an unauthenticated attacker to supply a crafted fingerprint value containing traversal sequences. When Chrome fails to launch or the process is cleaned up, the cleanup routine uses shutil.rmtree() to remove the profile directory, which deletes the resolved traversed path. Consequently, an attacker can delete any directory located outside the intended data directory, causing data loss and potentially disrupting system operation. This flaw does not provide code execution but can lead to significant integrity and availability damage.

Affected Systems

The flaw exists in CloakHQ CloakBrowser versions prior to 0.3.28. The service, cloakserve, binds to 0.0.0.0 by default, making it accessible over the network. An unauthenticated client can reach the cloakserve port and trigger the directory deletion by sending the malicious fingerprint parameter. Users running older CloakBrowser instances without network restriction are directly exposed to this threat.

Risk and Exploitability

The CVSS score of 8.8 reflects a high‑severity impact. EPSS is not available, but the lack of authentication and the service’s global binding increase the likelihood of exploitation. The flaw is not listed in CISA KEV, but it can be proactively mitigated by upgrading to version 0.3.28. Attackers would send a specially crafted fingerprint value over the cloakserve port to trigger arbitrary directory deletion.

Generated by OpenCVE AI on June 1, 2026 at 21:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor patch by upgrading CloakBrowser to version 0.3.28 or later, which removes the vulnerable handling of the fingerprint parameter.
  • Configure cloakserve to bind only to localhost or enforce firewall rules to block external access, thereby preventing unauthenticated network connections.
  • Validate and sanitize the fingerprint query parameter before it is used as a path component, ensuring it contains no traversal sequences or unsafe characters.

Generated by OpenCVE AI on June 1, 2026 at 21:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-mf33-gv72-w2h5 CloakBrowser: Unauthenticated path traversal via fingerprint parameter in cloakserve leads to arbitrary directory deletion
History

Mon, 01 Jun 2026 22:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 01 Jun 2026 19:00:00 +0000

Type Values Removed Values Added
Description CloakBrowser is a tool to bypass bot detection tests. Prior to version 0.3.28, the cloakserve CDP multiplexer uses the user-supplied fingerprint query parameter directly as a filesystem path component when creating Chrome profile directories. An unauthenticated attacker who can reach the cloakserve port can supply a crafted fingerprint value containing path traversal sequences to resolve user_data_dir outside the configured data_dir. When Chrome fails to start or the process is cleaned up, shutil.rmtree() deletes the traversed path, resulting in arbitrary directory deletion. Additionally, cloakserve bound to 0.0.0.0 by default, making it network-exposed. This issue has been patched in version 0.3.28.
Title CloakBrowser: Unauthenticated path traversal via fingerprint parameter in cloakserve leads to arbitrary directory deletion
Weaknesses CWE-22
References
Metrics cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-01T21:39:48.256Z

Reserved: 2026-05-13T05:51:48.667Z

Link: CVE-2026-45727

cve-icon Vulnrichment

Updated: 2026-06-01T21:39:45.471Z

cve-icon NVD

Status : Deferred

Published: 2026-06-01T19:16:53.003

Modified: 2026-06-02T14:04:23.573

Link: CVE-2026-45727

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-01T21:15:15Z

Weaknesses