Description
OpenDeck is Linux software for your Elgato Stream Deck. Prior to 2.8.1, the service listening on port 57118 serves static files for installed plugins but does not properly sanitize path components. By including ../ sequences in the request path, an attacker can traverse outside the intended directory and read any file OpenDeck can access. This vulnerability is fixed in 2.8.1.
Published: 2026-03-04
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary file read via path traversal
Action: Immediate Patch
AI Analysis

Impact

OpenDeck, software for Elgato Stream Deck, allows attackers to read arbitrary files due to an uncensored path traversal in the static file service that listens on port 57118. By including '../' sequences in the request path, a malicious client can traverse outside the intended plugin directory and access any file that the OpenDeck process can read. This introduces a confidentiality breach, enabling disclosure of sensitive data such as configuration files, logs, or other local files.

Affected Systems

All installations of OpenDeck earlier than version 2.8.1 are affected, regardless of deployment environment. The vulnerability exists in the service that serves static files for installed plugins, and the affected product is the OpenDeck application from vendor nekename.

Risk and Exploitability

The vulnerability carries a CVSS v3 score of 5.9, indicating moderate risk. The EPSS score is below 1%, suggesting low exploitation likelihood. It is not listed in the CISA Known Exploited Vulnerabilities catalogue. Based on the description, it is inferred that a remote attacker can send a specially crafted HTTP request to the service listening on port 57118, taking advantage of the improper sanitization of path components to traverse directories and read any file accessible to the OpenDeck process.

Generated by OpenCVE AI on April 16, 2026 at 13:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenDeck to version 2.8.1 or later to apply the fix that sanitizes path components.
  • Restrict external access to port 57118 using firewall rules or network segmentation to only allow trusted hosts if a patch cannot be applied immediately.
  • Disable or remove unneeded plugins or directories that expose sensitive files to reduce the attack surface while the service remains vulnerable.

Generated by OpenCVE AI on April 16, 2026 at 13:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 21 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:nekename:opendeck:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Thu, 05 Mar 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Nekename
Nekename opendeck
Vendors & Products Nekename
Nekename opendeck

Wed, 04 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 04 Mar 2026 20:00:00 +0000

Type Values Removed Values Added
Description OpenDeck is Linux software for your Elgato Stream Deck. Prior to 2.8.1, the service listening on port 57118 serves static files for installed plugins but does not properly sanitize path components. By including ../ sequences in the request path, an attacker can traverse outside the intended directory and read any file OpenDeck can access. This vulnerability is fixed in 2.8.1.
Title OpenDeck affected by path traversal allows arbitrary file read
Weaknesses CWE-22
CWE-24
References
Metrics cvssV4_0

{'score': 5.9, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:L/SI:L/SA:L'}

Subscriptions

Nekename Opendeck
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-04T21:05:38.200Z

Reserved: 2026-02-27T15:54:05.137Z

Link: CVE-2026-28427

cve-icon Vulnrichment

Updated: 2026-03-04T21:05:25.327Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-04T20:16:19.640

Modified: 2026-04-21T15:17:56.377

Link: CVE-2026-28427

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T13:15:06Z

Weaknesses