Which versions of CloakBrowser cloakserve are affected by CVE-2026-45727?

CloakBrowser's cloakserve CDP multiplexer (pip versions ≤0.3.27) exposes organizations to unauthenticated remote directory deletion attacks, with default network binding (0.0.0.0) making the…. A patch is available.

CloakBrowser cloakserve CVE-2026-45727

Q: How to fix or mitigate CVE-2026-45727?

Within 24 hours: Identify all systems running cloakbrowser ≤0.3.27 and immediately disable cloakserve service or isolate from untrusted networks. Within 7 days: Implement network-layer controls-restrict access via firewall to trusted IP ranges only, or reconfigure cloakserve binding from 0.0.0.0 to 127.0.0.1 if only local access is required. Within 30 days: Monitor vendor advisories for patch release and upgrade to patched version when available; if no patch materializes, evaluate service replacement or retirement.

HIGH

Path Traversal (CWE-22)

2026-05-18 https://github.com/CloakHQ/CloakBrowser

GHSA-mf33-gv72-w2h5

Path Traversal Google

Lifecycle Timeline

Source Code Evidence Fetched

May 18, 2026 - 18:30 vuln.today

Analysis Generated

May 18, 2026 - 18:30 vuln.today

DescriptionNVD

The cloakserve CDP multiplexer uses the user-supplied fingerprint query parameter directly as a filesystem path component when creating Chrome profile directories. An unauthenticated attacker who can reach the cloakserve port can supply a crafted fingerprint value containing path traversal sequences to resolve user_data_dir outside the configured data_dir. When Chrome fails to start or the process is cleaned up, shutil.rmtree() deletes the traversed path, resulting in arbitrary directory deletion.

Additionally, cloakserve bound to 0.0.0.0 by default, making it network-exposed.

Impact

An attacker with network access to the cloakserve port can delete arbitrary directories accessible to the service user.

Patches

Fixed in v0.3.28.

Mitigations

Upgrade to v0.3.28 or later
Restrict network access to the cloakserve port

AnalysisAI

Arbitrary directory deletion in CloakBrowser's cloakserve CDP multiplexer (pip package cloakbrowser <= 0.3.27) allows remote unauthenticated attackers to traverse out of the configured data_dir via a crafted fingerprint query parameter, causing shutil.rmtree() to delete directories owned by the service user. The default 0.0.0.0 bind exposes the service to any reachable network, amplifying impact. …

RemediationAI

Within 24 hours: Identify all systems running cloakbrowser ≤0.3.27 and immediately disable cloakserve service or isolate from untrusted networks. Within 7 days: Implement network-layer controls-restrict access via firewall to trusted IP ranges only, or reconfigure cloakserve binding from 0.0.0.0 to 127.0.0.1 if only local access is required. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

More from same product – last 7 days

CVE-2026-44739 HIGH This Week

8.7 May 27

SQL injection in Pimcore's CustomReportsBundle (versions ≤ 12.3.5) lets an authenticated user holding the reports_config

CVE-2026-8842 MEDIUM This Month

6.4 May 27

Stored Cross-Site Scripting in the Google+ Link Name WordPress plugin (versions up to and including 1.0) allows authenti

CVE-2025-68712 MEDIUM This Month

5.5 May 27

Authentication bypass in SpSoft AppLock 7.9.40 for Android allows a local attacker with physical device access to circum

CVE-2026-7552 MEDIUM This Month

5.3 May 28

Authorization bypass in the Geo Mashup WordPress plugin (all versions ≤ 1.13.19) exposes sensitive plugin configuration

CVE-2025-68709 MEDIUM This Month

5.2 May 26

Arbitrary JavaScript execution in SailingLab AppLock 4.3.8 for Android is triggered by a malicious co-installed app send

CVE-2026-45727 vulnerability details – vuln.today

Back