Severity by source
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Lifecycle Timeline
1DescriptionCVE.org
Permission control vulnerability in the file preview module. Impact: Successful exploitation of this vulnerability may affect service confidentiality.
AnalysisAI
Insufficient permission enforcement in the HarmonyOS file preview module allows a local, unprivileged attacker to access sensitive file contents without authorization. Affecting Huawei HarmonyOS (all versions per CPE wildcard), the flaw is classified as CWE-200 and carries a CVSS 5.5 Medium score, with high confidentiality impact but no integrity or availability exposure. No public exploit identified at time of analysis, and Huawei disclosed this vulnerability via its June 2026 security bulletin.
Technical ContextAI
The affected component is the file preview module within Huawei HarmonyOS (CPE: cpe:2.3:a:huawei:harmonyos:*:*:*:*:*:*:*:*). CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) indicates the root cause is a failure to properly enforce access control checks before rendering or displaying file content during a preview operation. The CVSS vector AV:L/AC:L/PR:N/UI:R reflects that exploitation is constrained to local access with required user interaction, suggesting the preview module does not adequately validate the calling process's permissions against the target file's access controls - a classic permission control bypass in a sandboxed or OS-level file handling subsystem.
RemediationAI
Apply the security updates detailed in Huawei's June 2026 security bulletins for the relevant device category - consumer devices at https://consumer.huawei.com/en/support/bulletin/2026/6/, vision products at https://consumer.huawei.com/en/support/bulletinvision/2026/6/, and laptops at https://consumer.huawei.com/en/support/bulletinlaptops/2026/6/. The exact patched HarmonyOS version is not independently confirmed from the available CPE or reference data - consult the bulletin directly to identify the target firmware version for your device. As a compensating control prior to patching, restricting untrusted third-party application installation on affected HarmonyOS devices reduces the risk of a malicious co-resident app triggering the preview module against protected files. Note this does not fully mitigate the flaw if a rogue local user is the threat actor.
Same weakness CWE-200 – Information Exposure
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35341
GHSA-2pp9-mf4r-4wpf