CVE-2026-6282 PUBLISHED

Assigner: lenovo
Reserved: 14.04.2026 Published: 13.05.2026 Updated: 13.05.2026

A potential improper file path validation vulnerability was reported in some Lenovo Personal Cloud Storage devices that could allow a remote authenticated user to move or access files belonging to other users on the same device.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
CVSS Score: 8.6

Product Status

Vendor Lenovo
Product Personal Cloud T2s
Versions Default: unaffected
  • affected from 0 to 5.5.6.t2s.3 (excl.)
Vendor Lenovo
Product Personal Cloud T2Pro
Versions Default: unaffected
  • affected from 0 to 5.4.8.t2pro.2 (excl.)
Vendor Lenovo
Product Personal Cloud X1s
Versions Default: unaffected
  • affected from 0 to 5.4.8.x1s.2 (excl.)
Vendor Lenovo
Product Home Storage Hub T20
Versions Default: unaffected
  • affected from 0 to 5.5.8.t20.1 (excl.)
Vendor Lenovo
Product Home Storage Hub X20
Versions Default: unaffected
  • affected from 0 to 5.4.4.x20.1 (excl.)
Vendor Lenovo
Product Personal Cloud T1
Versions Default: unaffected
  • affected from 0 to 5.4.0.t1.6 (incl.)
Vendor Lenovo
Product Personal Cloud A1
Versions Default: unaffected
  • affected from 0 to 5.4.2.a1.3 (incl.)
Vendor Lenovo
Product Personal Cloud A1s
Versions Default: unaffected
  • affected from 0 to 5.5.6.a1s (incl.)
Vendor Lenovo
Product Personal Cloud T2
Versions Default: unaffected
  • affected from 0 to 5.4.5.t2.2 (incl.)
Vendor Lenovo
Product Personal Cloud X1
Versions Default: unaffected
  • affected from 0 to 5.4.7.x1.1 (incl.)

Solutions

Update device firmware to the version indicated in the advisory: https://iknow.lenovo.com.cn/detail/440274

Credits

  • Lenovo thanks Wang Jincheng, Professor Yu Le from Nanjing University of Posts and Telecommunications and Professor Luo Xiapu from The Hong Kong Polytechnic University finder

References

Problem Types

  • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE