Description
Improper handling of insufficient permission in Samsung Cloud prior to version 5.6.11 allows local attackers to access specific files in arbitrary path.
Published: 2026-01-09
Score: 2.1 Low
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Local File Access
Action: Assess Impact
AI Analysis

Impact

A local attacker can read arbitrary files on a device running Samsung Cloud prior to version 5.6.11 because the software fails to enforce sufficient permissions, allowing the attacker to invoke operations that bypass normal access controls.

Affected Systems

The vulnerability affects Samsung Cloud, part of the Samsung Mobile ecosystem, for all releases earlier than 5.6.11. Any device running an affected version could be compromised, exposing confidential files stored within the cloud service.

Risk and Exploitability

With a CVSS score of 2.1, the technical severity is low. The EPSS score is less than 1 %, indicating a very small probability that an attack would be executed in the wild, and the issue is not listed in the CISA KEV catalog. The likely attack vector is local: an attacker with access to the device can target the cloud service without remote network involvement.

Generated by OpenCVE AI on April 18, 2026 at 16:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Samsung Cloud to version 5.6.11 or later.
  • Apply a device-level whitelist or file‑access restriction to prevent the Samsung Cloud application from reading arbitrary file paths if an update is not immediately available.
  • Configure device monitoring or logging to detect unauthorized file read attempts and set up alerts for suspicious activity.

Generated by OpenCVE AI on April 18, 2026 at 16:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 18 Apr 2026 17:00:00 +0000

Type Values Removed Values Added
Title Local Permission Escalation in Samsung Cloud Allows Access to Arbitrary Files
Weaknesses CWE-284
CWE-732

Thu, 15 Jan 2026 19:45:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-Other
CPEs cpe:2.3:a:samsung:cloud:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Fri, 09 Jan 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 09 Jan 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Samsung
Samsung cloud
Vendors & Products Samsung
Samsung cloud

Fri, 09 Jan 2026 06:30:00 +0000

Type Values Removed Values Added
Description Improper handling of insufficient permission in Samsung Cloud prior to version 5.6.11 allows local attackers to access specific files in arbitrary path.
References
Metrics cvssV4_0

{'score': 2.1, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Samsung Cloud
cve-icon MITRE

Status: PUBLISHED

Assigner: SamsungMobile

Published:

Updated: 2026-01-09T19:09:53.391Z

Reserved: 2025-12-11T01:33:35.798Z

Link: CVE-2026-20975

cve-icon Vulnrichment

Updated: 2026-01-09T19:09:50.908Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-09T07:16:04.093

Modified: 2026-01-15T19:43:07.930

Link: CVE-2026-20975

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T16:45:05Z

Weaknesses