Cyber Resilience

CVE-2026-28427

MediumPublic PoC

Published: 04 March 2026

Published
04 March 2026
Modified
21 April 2026
KEV Added
Patch
CVSS Score v4 5.9 CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0009 25.8th percentile
Risk Priority 12 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-28427 is a medium-severity Path Traversal (CWE-22) vulnerability in Nekename Opendeck. Its CVSS base score is 5.9 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 25.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-28427 is a path traversal vulnerability (CWE-22, CWE-24) affecting OpenDeck, a Linux-based software application for controlling Elgato Stream Deck devices. In versions prior to 2.8.1, the service listening on TCP port 57118, which serves static files for installed plugins, fails to properly sanitize path components in HTTP requests. This allows attackers to include directory traversal sequences such as "../" in the request path, enabling access to files outside the intended plugin directory that are readable by the OpenDeck process. The vulnerability has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact with no requirements for authentication or user interaction.

Any unauthenticated attacker with network access to the vulnerable OpenDeck service on port 57118 can exploit this issue by crafting an HTTP request with traversal sequences to read arbitrary files accessible to the OpenDeck process, such as configuration files, credentials, or other sensitive data on the host system. Exploitation requires no privileges and can be performed remotely over the network with low complexity, potentially exposing system information depending on the permissions of the OpenDeck service user.

The vulnerability is addressed in OpenDeck version 2.8.1, as detailed in the project's GitHub security advisory (GHSA-4974-g27q-h5m8) and the corresponding fix commit (488a52050017e95a72ba448226ac5e19a20dd9ed). Security practitioners should recommend immediate upgrades to 2.8.1 or later, restrict network access to port 57118 where possible, and monitor for anomalous requests to the service.

EU & UK References

Vulnerability details

OpenDeck is Linux software for your Elgato Stream Deck. Prior to 2.8.1, the service listening on port 57118 serves static files for installed plugins but does not properly sanitize path components. By including ../ sequences in the request path, an…

more

attacker can traverse outside the intended directory and read any file OpenDeck can access. This vulnerability is fixed in 2.8.1.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
T1552.001 Credentials In Files Credential Access
Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.
Why these techniques?

Path traversal in network-accessible HTTP service on port 57118 enables remote exploitation of public-facing app (T1190) for arbitrary local file read (T1005), specifically including credential files (T1552.001).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2022-50992Shared CWE-22
CVE-2026-32847Shared CWE-22
CVE-2026-30869Shared CWE-22
CVE-2026-35615Shared CWE-22
CVE-2026-33077Shared CWE-22
CVE-2026-27305Shared CWE-22
CVE-2026-30403Shared CWE-22
CVE-2020-36939Shared CWE-22
CVE-2025-10897Shared CWE-22
CVE-2026-28679Shared CWE-22

Affected Assets

nekename
opendeck
≤ 2.8.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the path traversal flaw in OpenDeck versions prior to 2.8.1 by applying the vendor patch that sanitizes request paths.

prevent

Requires validation of HTTP request path inputs to block directory traversal sequences like '../', preventing unauthorized file access outside the plugin directory.

prevent

Enforces boundary protection to restrict network access to the vulnerable OpenDeck service on TCP port 57118, mitigating remote unauthenticated exploitation.

References