{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/cloakbrowser--0.3.27/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["cloakbrowser (\u003c= 0.3.27)"],"_cs_severities":["high"],"_cs_tags":["path-traversal","directory-deletion","cloakbrowser","CVE-2026-45727"],"_cs_type":"advisory","_cs_vendors":["pip"],"content_html":"\u003cp\u003eCloakBrowser\u0026rsquo;s \u003ccode\u003ecloakserve\u003c/code\u003e component is vulnerable to an unauthenticated path traversal attack. The vulnerability stems from the direct use of the user-supplied \u003ccode\u003efingerprint\u003c/code\u003e query parameter as a filesystem path component when creating Chrome profile directories. An attacker, without needing authentication, can send a crafted \u003ccode\u003efingerprint\u003c/code\u003e value containing path traversal sequences to manipulate the \u003ccode\u003euser_data_dir\u003c/code\u003e resolution to point outside the intended \u003ccode\u003edata_dir\u003c/code\u003e. This vulnerability affects CloakBrowser versions 0.3.27 and earlier. The default configuration of \u003ccode\u003ecloakserve\u003c/code\u003e binding to \u003ccode\u003e0.0.0.0\u003c/code\u003e exacerbates the issue by making it network-exposed. By exploiting this vulnerability, attackers can delete arbitrary directories accessible to the service user when Chrome fails to start or during process cleanup.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker sends an HTTP request to the exposed \u003ccode\u003ecloakserve\u003c/code\u003e port.\u003c/li\u003e\n\u003cli\u003eThe request includes a crafted \u003ccode\u003efingerprint\u003c/code\u003e query parameter containing path traversal sequences (e.g., \u003ccode\u003e../\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003ecloakserve\u003c/code\u003e uses the \u003ccode\u003efingerprint\u003c/code\u003e parameter to construct a path for the Chrome profile directory (\u003ccode\u003euser_data_dir\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe path traversal sequences in the \u003ccode\u003efingerprint\u003c/code\u003e parameter cause \u003ccode\u003euser_data_dir\u003c/code\u003e to resolve outside the configured \u003ccode\u003edata_dir\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eChrome attempts to start using the manipulated \u003ccode\u003euser_data_dir\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eChrome fails to start, potentially due to issues with the traversed path or profile directory.\u003c/li\u003e\n\u003cli\u003eDuring cleanup or when the process is terminated, \u003ccode\u003eshutil.rmtree()\u003c/code\u003e is called to delete the \u003ccode\u003euser_data_dir\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eDue to the path traversal, \u003ccode\u003eshutil.rmtree()\u003c/code\u003e deletes an arbitrary directory accessible to the service user.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows an unauthenticated attacker with network access to the \u003ccode\u003ecloakserve\u003c/code\u003e port to delete arbitrary directories accessible to the service user. The number of affected installations is unknown. This vulnerability allows for denial of service or potentially more severe impacts depending on the contents and permissions of the deleted directories.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade CloakBrowser to version 0.3.28 or later to remediate the vulnerability as advised in the overview.\u003c/li\u003e\n\u003cli\u003eRestrict network access to the \u003ccode\u003ecloakserve\u003c/code\u003e port (typically port 8080) as described in the mitigations section of the linked advisory.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect CloakBrowser Path Traversal Attempt via Crafted Fingerprint\u0026rdquo; to monitor for suspicious \u003ccode\u003efingerprint\u003c/code\u003e parameters containing path traversal sequences.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-18T17:50:51Z","date_published":"2026-05-18T17:50:51Z","id":"https://feed.craftedsignal.io/briefs/2026-05-cloakbrowser-path-traversal/","summary":"An unauthenticated path traversal vulnerability exists in CloakBrowser's cloakserve component (versions 0.3.27 and earlier) where a crafted fingerprint query parameter with path traversal sequences can be used to delete arbitrary directories accessible to the service user (CVE-2026-45727).","title":"CloakBrowser cloakserve Unauthenticated Path Traversal Leading to Arbitrary Directory Deletion (CVE-2026-45727)","url":"https://feed.craftedsignal.io/briefs/2026-05-cloakbrowser-path-traversal/"}],"language":"en","title":"CraftedSignal Threat Feed — Cloakbrowser (\u003c= 0.3.27)","version":"https://jsonfeed.org/version/1.1"}