EXECUTIVE SUMMARY:
CVE-2026-45727 with a CVSS score of 8.8 is a vulnerability in the CloakBrowser package, specifically affecting versions less than or equal to 0.3.27. The vulnerability resides in the `cloakserve` CDP multiplexer, which uses the user-supplied `fingerprint` query parameter directly as a filesystem path component when creating Chrome profile directories, allowing an unauthenticated attacker to supply a crafted `fingerprint` value containing path traversal sequences to resolve `user_data_dir` outside the configured `data_dir`. This enables an attacker with network access to the cloakserve port to delete arbitrary directories accessible to the service user, resulting in potential data loss or exposure. An attacker can exploit this vulnerability by sending a crafted `fingerprint` value via the cloakserve port, which is bound to `0.0.0.0` by default, making it network-exposed. The attacker gains the capability to delete arbitrary directories, leading to a significant business impact and consequences if exploited, including data loss, disruption of services, and potential compliance violations.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-45727 with a CVSS score of 8.8 is a vulnerability in the CloakBrowser package, specifically affecting versions less than or equal to 0.3.27. The vulnerability resides in the `cloakserve` CDP multiplexer, which uses the user-supplied `fingerprint` query parameter directly as a filesystem path component when creating Chrome profile directories, allowing an unauthenticated attacker to supply a crafted `fingerprint` value containing path traversal sequences to resolve `user_data_dir` outside the configured `data_dir`. This enables an attacker with network access to the cloakserve port to delete arbitrary directories accessible to the service user, resulting in potential data loss or exposure. An attacker can exploit this vulnerability by sending a crafted `fingerprint` value via the cloakserve port, which is bound to `0.0.0.0` by default, making it network-exposed. The attacker gains the capability to delete arbitrary directories, leading to a significant business impact and consequences if exploited, including data loss, disruption of services, and potential compliance violations.[emaillocker id="1283"]
RECOMMENDATION:
We recommend you to update cloakbrowser to version 0.3.28 or later.
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-mf33-gv72-w2h5