CVE-2026-28427
Directory Traversal in OpenDeck Plugin Service Allows Arbitrary File Access
Publication date: 2026-03-04
Last updated on: 2026-04-21
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nekename | opendeck | to 2.8.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
| CWE-24 | The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize "../" sequences that can resolve to a location that is outside of that directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-28427 is a path traversal vulnerability in OpenDeck versions prior to 2.8.1. OpenDeck runs a webserver on port 57118 that serves static files for installed plugins but does not properly sanitize path components in HTTP requests. This allows an attacker to include "../" sequences in the request path to traverse outside the intended plugin directory and read arbitrary files accessible by the OpenDeck process.'}, {'type': 'paragraph', 'content': "The vulnerability arises because the server fails to correctly handle directory traversal sequences, enabling attackers to access sensitive files such as SSH private keys, AWS credentials, or browser profile data by crafting malicious requests. Exploitation requires knowledge of the victim's local username and user interaction, such as visiting a malicious webpage that makes requests to the local OpenDeck server."}, {'type': 'paragraph', 'content': 'This vulnerability is fixed in OpenDeck version 2.8.1 by enhancing path validation, canonicalizing requested paths, and enforcing that file access remains within the designated configuration directory.'}] [1]
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': "This vulnerability can lead to unauthorized disclosure of sensitive files accessible by the OpenDeck process. An attacker can exploit it to read private keys, credentials, and other confidential configuration files from the victim's system."}, {'type': 'paragraph', 'content': "Such disclosure can result in further compromise of the victim's accounts or servers if the leaked credentials are used maliciously. The attack requires the victim to interact with a malicious webpage, which can then exfiltrate files from the local OpenDeck server without authentication."}, {'type': 'paragraph', 'content': 'The overall impact is moderate, with a CVSS v4 base score of 5.9, primarily affecting confidentiality. Integrity and availability are not impacted.'}] [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking if the OpenDeck service is running a vulnerable version (prior to 2.8.1) and listening on port 57118. You can attempt to detect exploitation attempts by monitoring HTTP GET requests containing directory traversal sequences such as "../" targeting the OpenDeck webserver.'}, {'type': 'paragraph', 'content': 'A practical detection method is to use curl commands to simulate malicious requests that attempt to read sensitive files via path traversal. For example, you can run commands like:'}, {'type': 'list_item', 'content': 'curl "http://localhost:57118/{prefix}/../.ssh/id_rsa"'}, {'type': 'list_item', 'content': 'curl "http://localhost:57118/{prefix}/../.aws/credentials"'}, {'type': 'paragraph', 'content': 'Replace {prefix} with the appropriate plugin path prefix. If these requests return file contents, the system is vulnerable.'}, {'type': 'paragraph', 'content': 'Additionally, monitoring network traffic for suspicious requests containing encoded "../" sequences to port 57118 can help detect exploitation attempts.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate and most effective mitigation is to update OpenDeck to version 2.8.1 or later, where the vulnerability is fixed.
Other mitigation steps include:
- Ensure that the OpenDeck webserver properly sanitizes and canonicalizes requested paths to prevent directory traversal.
- Implement authentication mechanisms such as tokens to verify legitimate clients accessing the OpenDeck service.
- Restrict or disable Cross-Origin Resource Sharing (CORS) requests, especially reviewing and limiting permissive headers like Access-Control-Allow-Origin: *.
If updating immediately is not possible, consider restricting network access to port 57118 to trusted users only, and monitor for suspicious requests.