CVE-2026-6281 PUBLISHED

Assigner: lenovo
Reserved: 14.04.2026 Published: 13.05.2026 Updated: 13.05.2026

A potential vulnerability was reported in some Lenovo Personal Cloud Storage devices that could allow a remote authenticated user on the local network to execute arbitrary commands on the device.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CVSS Score: 8.7

Product Status

Vendor Lenovo
Product Personal Cloud T2s
Versions Default: unaffected
  • affected from 0 to 5.5.6.t2s.3 (excl.)
Vendor Lenovo
Product Personal Cloud T2Pro
Versions Default: unaffected
  • affected from 0 to 5.4.8.t2pro.2 (excl.)
Vendor Lenovo
Product Personal Cloud X1s
Versions Default: unaffected
  • affected from 0 to 5.4.8.x1s.2 (excl.)
Vendor Lenovo
Product Home Storage Hub T20
Versions Default: unaffected
  • affected from 0 to 5.5.8.t20.1 (excl.)
Vendor Lenovo
Product Home Storage Hub X20
Versions Default: unaffected
  • affected from 0 to 5.4.4.x20.1 (excl.)
Vendor Lenovo
Product Personal Cloud T1
Versions Default: unaffected
  • affected from 0 to 5.4.0.t1.6 (incl.)
Vendor Lenovo
Product Personal Cloud A1
Versions Default: unaffected
  • affected from 0 to 5.4.2.a1.3 (incl.)
Vendor Lenovo
Product Personal Cloud A1s
Versions Default: unaffected
  • affected from 0 to 5.5.6.a1s (incl.)
Vendor Lenovo
Product Personal Cloud T2
Versions Default: unaffected
  • affected from 0 to 5.4.5.t2.2 (incl.)
Vendor Lenovo
Product Personal Cloud X1
Versions Default: unaffected
  • affected from 0 to 5.4.7.x1.1 (incl.)

Solutions

Update device firmware to the version indicated in the advisory: https://iknow.lenovo.com.cn/detail/440274

Credits

  • Lenovo thanks Wang Jincheng, Professor Yu Le from Nanjing University of Posts and Telecommunications and Professor Luo Xiapu from The Hong Kong Polytechnic University finder

References

Problem Types

  • CWE-78: Improper Neutralization of Special Elements used in an OS Command CWE