← Back
2026-03-04 19:30CVE-2026-28427GitHub_M
PUBLISHED5.2CWE-22CWE-24

OpenDeck affected by path traversal allows arbitrary file read

OpenDeck is Linux software for your Elgato Stream Deck. Prior to 2.8.1, the service listening on port 57118 serves static files for installed plugins but does not properly sanitize path components. By including ../ sequences in the request path, an attacker can traverse outside the intended directory and read any file OpenDeck can access. This vulnerability is fixed in 2.8.1.

Problem type

Affected products

nekename

OpenDeck

< 2.8.1 - AFFECTED

References

https://github.com/nekename/OpenDeck/security/advisories/GHSA-4974-g27q-h5m8

https://github.com/nekename/OpenDeck/security/advisories/GHSA-4974-g27q-h5m8

x_refsource_CONFIRM
https://github.com/nekename/OpenDeck/commit/488a52050017e95a72ba448226ac5e19a20dd9ed

https://github.com/nekename/OpenDeck/commit/488a52050017e95a72ba448226ac5e19a20dd9ed

x_refsource_MISC

JSON source

https://cveawg.mitre.org/api/cve/CVE-2026-28427
Click to expand
{
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "cveMetadata": {
    "cveId": "CVE-2026-28427",
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "dateUpdated": "2026-03-04T21:05:38.200Z",
    "dateReserved": "2026-02-27T15:54:05.137Z",
    "datePublished": "2026-03-04T19:30:07.137Z",
    "state": "PUBLISHED"
  },
  "containers": {
    "cna": {
      "providerMetadata": {
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M",
        "dateUpdated": "2026-03-04T19:30:07.137Z"
      },
      "title": "OpenDeck affected by path traversal allows arbitrary file read",
      "descriptions": [
        {
          "lang": "en",
          "value": "OpenDeck is Linux software for your Elgato Stream Deck. Prior to 2.8.1, the service listening on port 57118 serves static files for installed plugins but does not properly sanitize path components. By including ../ sequences in the request path, an attacker can traverse outside the intended directory and read any file OpenDeck can access. This vulnerability is fixed in 2.8.1."
        }
      ],
      "affected": [
        {
          "vendor": "nekename",
          "product": "OpenDeck",
          "versions": [
            {
              "version": "< 2.8.1",
              "status": "affected"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "lang": "en",
              "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')",
              "cweId": "CWE-22",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "lang": "en",
              "description": "CWE-24: Path Traversal: '../filedir'",
              "cweId": "CWE-24",
              "type": "CWE"
            }
          ]
        }
      ],
      "references": [
        {
          "url": "https://github.com/nekename/OpenDeck/security/advisories/GHSA-4974-g27q-h5m8",
          "name": "https://github.com/nekename/OpenDeck/security/advisories/GHSA-4974-g27q-h5m8",
          "tags": [
            "x_refsource_CONFIRM"
          ]
        },
        {
          "url": "https://github.com/nekename/OpenDeck/commit/488a52050017e95a72ba448226ac5e19a20dd9ed",
          "name": "https://github.com/nekename/OpenDeck/commit/488a52050017e95a72ba448226ac5e19a20dd9ed",
          "tags": [
            "x_refsource_MISC"
          ]
        }
      ],
      "metrics": [
        {}
      ]
    },
    "adp": [
      {
        "providerMetadata": {
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP",
          "dateUpdated": "2026-03-04T21:05:38.200Z"
        },
        "title": "CISA ADP Vulnrichment",
        "metrics": [
          {}
        ]
      }
    ]
  }
}