CVE-2026-28427
Published: 04 March 2026
Summary
CVE-2026-28427 is a medium-severity Path Traversal (CWE-22) vulnerability in Nekename Opendeck. Its CVSS base score is 5.9 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 25.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-28427 is a path traversal vulnerability (CWE-22, CWE-24) affecting OpenDeck, a Linux-based software application for controlling Elgato Stream Deck devices. In versions prior to 2.8.1, the service listening on TCP port 57118, which serves static files for installed plugins, fails to properly sanitize path components in HTTP requests. This allows attackers to include directory traversal sequences such as "../" in the request path, enabling access to files outside the intended plugin directory that are readable by the OpenDeck process. The vulnerability has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact with no requirements for authentication or user interaction.
Any unauthenticated attacker with network access to the vulnerable OpenDeck service on port 57118 can exploit this issue by crafting an HTTP request with traversal sequences to read arbitrary files accessible to the OpenDeck process, such as configuration files, credentials, or other sensitive data on the host system. Exploitation requires no privileges and can be performed remotely over the network with low complexity, potentially exposing system information depending on the permissions of the OpenDeck service user.
The vulnerability is addressed in OpenDeck version 2.8.1, as detailed in the project's GitHub security advisory (GHSA-4974-g27q-h5m8) and the corresponding fix commit (488a52050017e95a72ba448226ac5e19a20dd9ed). Security practitioners should recommend immediate upgrades to 2.8.1 or later, restrict network access to port 57118 where possible, and monitor for anomalous requests to the service.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-9494
Vulnerability details
OpenDeck is Linux software for your Elgato Stream Deck. Prior to 2.8.1, the service listening on port 57118 serves static files for installed plugins but does not properly sanitize path components. By including ../ sequences in the request path, an…
more
attacker can traverse outside the intended directory and read any file OpenDeck can access. This vulnerability is fixed in 2.8.1.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal in network-accessible HTTP service on port 57118 enables remote exploitation of public-facing app (T1190) for arbitrary local file read (T1005), specifically including credential files (T1552.001).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly remediates the path traversal flaw in OpenDeck versions prior to 2.8.1 by applying the vendor patch that sanitizes request paths.
Requires validation of HTTP request path inputs to block directory traversal sequences like '../', preventing unauthorized file access outside the plugin directory.
Enforces boundary protection to restrict network access to the vulnerable OpenDeck service on TCP port 57118, mitigating remote unauthenticated exploitation.