PT-2026-41798 · Pypi · Cloakbrowser
Published
2026-05-18
·
Updated
2026-05-18
·
CVE-2026-45727
CVSS v4.0
8.8
High
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N |
The
cloakserve CDP multiplexer uses the user-supplied fingerprint query parameter directly as a filesystem path component when creating Chrome profile directories. An unauthenticated attacker who can reach the cloakserve port can supply a crafted fingerprint value containing path traversal sequences to resolve user data dir outside the configured data dir. When Chrome fails to start or the process is cleaned up, shutil.rmtree() deletes the traversed path, resulting in arbitrary directory deletion.Additionally,
cloakserve bound to 0.0.0.0 by default, making it network-exposed.Impact
An attacker with network access to the cloakserve port can delete arbitrary directories accessible to the service user.
Patches
Fixed in v0.3.28.
Mitigations
- Upgrade to v0.3.28 or later
- Restrict network access to the cloakserve port
Fix
Path traversal
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Cloakbrowser