Skip to main content

Lenovo Personal Cloud CVE-2026-6282

| EUVDEUVD-2026-30041 HIGH
Path Traversal (CWE-22)
2026-05-13 lenovo GHSA-m6vj-6h49-wg69
8.6
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.6 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

6
Patch available
May 13, 2026 - 16:33 EUVD
Analysis Updated
May 13, 2026 - 16:28 vuln.today
v2 (cvss_changed)
Re-analysis Queued
May 13, 2026 - 16:22 vuln.today
cvss_changed
CVSS changed
May 13, 2026 - 16:22 NVD
8.1 (HIGH) 8.6 (HIGH)
Analysis Generated
May 13, 2026 - 16:01 vuln.today
CVE Published
May 13, 2026 - 14:15 nvd
HIGH 8.1

DescriptionCVE.org

A potential improper file path validation vulnerability was reported in some Lenovo Personal Cloud Storage devices that could allow a remote authenticated user to move or access files belonging to other users on the same device.

AnalysisAI

Path traversal in Lenovo Personal Cloud Storage devices allows authenticated remote attackers to move or access files belonging to other users on the same device, enabling unauthorized data disclosure and modification across user boundaries. Affects multiple product lines including Personal Cloud (T1, T2, T2S, T2Pro, X1, X1S, A1, A1S) and Home Storage Hub (T20, X20). CVSS 8.6 reflects high confidentiality and integrity impact with low attack complexity. No active exploitation confirmed in CISA KEV at time of analysis, and EPSS data not available for this 2026 CVE identifier.

Technical ContextAI

This vulnerability stems from improper file path validation (CWE-22: Path Traversal) in Lenovo's Personal Cloud Storage platform. Path traversal vulnerabilities occur when applications fail to properly sanitize user-supplied file path inputs, allowing attackers to use special characters (like ../ sequences) or absolute paths to access files outside their intended directory scope. In multi-tenant storage systems like Lenovo Personal Cloud, proper path validation is critical for maintaining isolation between different users' data stores. The affected CPE entries indicate this is a platform-wide issue affecting Lenovo's entire consumer NAS product line, including T-series (T1, T2, T2S, T2Pro), X-series (X1, X1S), A-series (A1, A1S), and Home Storage Hub models (T20, X20). The CVSS 4.0 vector shows network-accessible exploitation with low complexity and no user interaction required once authenticated.

RemediationAI

Users should immediately check Lenovo's official advisory at https://iknow.lenovo.com.cn/detail/440274 for firmware updates addressing this path traversal vulnerability. For devices receiving updates, apply the latest firmware version through the device's administrative interface following Lenovo's upgrade procedures. For the Personal Cloud T1 model, which has reached end-of-life status (https://pc.lenovo.com.cn/tips/Ann/t1_eol.html), no patch may be available; users should migrate data to supported models or alternative storage solutions. As interim mitigation until patches are applied: restrict user account creation to only trusted individuals, regularly audit user account lists and remove unnecessary accounts, implement strong unique passwords for all accounts to prevent credential compromise, monitor device access logs for unusual file access patterns, consider network segmentation to limit device accessibility to trusted networks only, and disable remote access features if not required. Each mitigation trades convenience for security: removing remote access eliminates legitimate external usage, account restrictions limit device utility in multi-user households, and log monitoring requires manual review effort.

More in Lenovo

View all
CVE-2012-1195 HIGH POC
7.5 Feb 18

Unrestricted file upload vulnerability in andesk/managementsuite/core/core.anonymous/ServerSetup.asmx in the ServerSetup

CVE-2012-1196 MEDIUM POC
5.0 Feb 18

Directory traversal vulnerability in the VulCore web service (WSVulnerabilityCore/VulCore.asmx) in Lenovo ThinkManagemen

CVE-2015-2219 HIGH POC
7.2 May 12

Lenovo System Update (formerly ThinkVantage System Update) before 5.06.0034 uses predictable security tokens, which allo

CVE-2018-14066 CRITICAL POC
9.8 Jul 15

The content://wappush content provider in com.android.provider.telephony, as found in some custom ROMs for Android phone

CVE-2026-58583 HIGH POC
8.4 Jul 07

Local privilege escalation in the FluxInk (formerly Sunia SPB Peripheral) Color Management Driver TcnPeripheral64.sys ve

CVE-2017-7293 HIGH POC
7.8 Apr 26

The Dolby DAX2 and DAX3 API services are vulnerable to a privilege escalation vulnerability that allows a normal user to

CVE-2015-6971 HIGH POC
7.8 Oct 03

Lenovo System Update (formerly ThinkVantage System Update) before 5.07.0013 allows local users to submit commands to the

CVE-2015-8110 HIGH POC
7.8 Apr 24

Lenovo System Update (formerly ThinkVantage System Update) before 5.07.0019 allows local users to gain privileges by nav

CVE-2021-3633 HIGH POC
7.8 Aug 17

A DLL preloading vulnerability was reported in Lenovo Driver Management prior to version 2.9.0719.1104 that could allow

CVE-2022-0354 HIGH POC
7.3 Apr 22

A vulnerability was reported in Lenovo System Update that could allow a local user with interactive system access the ab

CVE-2015-8109 HIGH POC
7.0 Apr 24

Lenovo System Update (formerly ThinkVantage System Update) before 5.07.0019 allows local users to gain privileges by mak

CVE-2017-3761 CRITICAL
9.8 Oct 17

The Lenovo Service Framework Android application executes some system commands without proper sanitization of external i

Share

CVE-2026-6282 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy