Skip to main content

Lenovo App Store CVE-2026-13104

| EUVDEUVD-2026-44977 HIGH
Execution with Unnecessary Privileges (CWE-250)
2026-07-16 lenovo GHSA-whrx-5ggp-j935
7.0
CVSS 4.0 · Vendor: lenovo
Share

Severity by source

Vendor (lenovo) PRIMARY
7.0 HIGH
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.3 HIGH

Local vector and existing low-privileged authenticated user give AV:L/PR:L; passive user interaction maps to UI:R; CWE-250 abuse yields full C/I/A impact with unchanged scope.

3.1 AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (lenovo).

CVSS VectorVendor: lenovo

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
P
Scope
X

Lifecycle Timeline

3
Patch available
Jul 16, 2026 - 18:18 EUVD
Analysis Generated
Jul 16, 2026 - 17:17 vuln.today
CVE Published
Jul 16, 2026 - 16:49 cve.org
HIGH 7.0

DescriptionCVE.org

A potential vulnerability was reported in Lenovo App Store, distributed exclusively in the Chinese market, that could allow a local authenticated user to execute arbitrary code with elevated privileges.

AnalysisAI

Local privilege escalation to arbitrary code execution affects Lenovo App Store, a software-distribution client shipped exclusively on Lenovo devices in the Chinese market. A local authenticated user who can interact with the application can leverage its excessive privileges (CWE-250) to run arbitrary code at an elevated privilege level, with high confidentiality, integrity, and availability impact on the host. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Log in as local authenticated user
Delivery
Interact with Lenovo App Store client
Exploit
Abuse unnecessary elevated privileges (CWE-250)
Execution
Execute arbitrary code at elevated privilege
Impact
Full compromise of host

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to already be a local authenticated user (PR:L) on a device that has the Lenovo App Store installed - meaning a Lenovo device distributed in the Chinese market - and the flaw is triggered locally (AV:L), not over the network. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The vendor CVSS 4.0 base score is 7.0 (High) with vector AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H, indicating a local attack vector requiring an already-authenticated low-privileged user plus some passive user interaction, but yielding full high impact to confidentiality, integrity, and availability once triggered. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A standard authenticated user (or malware running under that user) on a Chinese-market Lenovo PC interacts with the Lenovo App Store client and abuses its unnecessarily elevated privileges to run attacker-supplied code in the higher-privileged context, gaining full control of the system. The CVSS vector's UI:P suggests the chain also depends on some passive user action being present. …
Remediation Consult and follow the Lenovo advisory at https://iknow.lenovo.com.cn/detail/441419 and update the Lenovo App Store to the vendor-fixed build; no vendor-released patch version was identified in the provided data, so the exact fix version must be confirmed directly from that advisory. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, identify and inventory all Lenovo devices running Lenovo App Store in Chinese market deployments and assess organizational exposure scope. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-13104 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy