OpenDeck is a Linux-based software designed to interface with Elgato Stream Deck devices, providing functionality through plugins served via a local service listening on TCP port 57118. Prior to version 2.8.1, this service improperly handles pathname sanitization when serving static files for plugins. Specifically, it does not adequately restrict or normalize path components, allowing an attacker to include '../' sequences in HTTP requests to traverse directories outside the intended plugin directory. This path traversal vulnerability (CWE-22) enables an unauthenticated remote attacker to read arbitrary files on the host system with the same privileges as the OpenDeck service. The vulnerability does not require authentication but does require user interaction, such as the attacker convincing a user or system to send crafted requests to the vulnerable service. The CVSS 4.0 vector indicates network attack vector (AV:N), high attack complexity (AC:H), no privileges required (PR:N), user interaction required (UI:A), and high confidentiality impact (VC:H), with no impact on integrity or availability. The scope is limited (SI:L), and the vulnerability is fixed in OpenDeck version 2.8.1. No known exploits are currently reported in the wild. This vulnerability is significant because it can expose sensitive files, including configuration files, credentials, or other private data accessible by the OpenDeck process, potentially leading to further compromise if leveraged in a multi-stage attack.

The primary impact of CVE-2026-28427 is unauthorized disclosure of sensitive information due to arbitrary file read capabilities. Organizations using OpenDeck on Linux systems are at risk of having confidential data exposed, including credentials, configuration files, or other sensitive plugin data. This exposure can facilitate further attacks such as privilege escalation, lateral movement, or targeted espionage. Since the vulnerability requires user interaction and has high attack complexity, widespread automated exploitation is less likely, but targeted attacks against streamers, content creators, or organizations using OpenDeck in production environments remain a concern. The impact is limited to confidentiality; integrity and availability are not affected. However, the ability to read arbitrary files can undermine trust in the affected systems and lead to compliance or privacy violations. The vulnerability affects any environment where OpenDeck is deployed and accessible over the network, especially if the service is exposed beyond localhost or internal networks.

To mitigate CVE-2026-28427, organizations should immediately upgrade OpenDeck to version 2.8.1 or later, where the path traversal vulnerability is fixed. If upgrading is not immediately possible, restrict network access to port 57118 to trusted hosts only, ideally limiting it to localhost or internal networks via firewall rules or network segmentation. Implement application-layer filtering or reverse proxies that sanitize or block requests containing '../' sequences or suspicious path traversal patterns. Monitor logs for unusual requests targeting the OpenDeck service, especially those containing directory traversal payloads. Educate users about the risks of interacting with untrusted sources that might trigger malicious requests. Regularly audit file permissions and ensure the OpenDeck service runs with the least privileges necessary to limit the scope of file access. Finally, maintain an incident response plan to quickly address any suspected exploitation.