Description
A potential authentication bypass was reported in Lenovo Smart Connect for Windows that could allow a local authenticated user to execute arbitrary code with elevated privileges.
Published: 2026-06-10
Score: 7.3 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an authentication bypass in Lenovo Smart Connect for Windows that could allow a local authenticated user to execute arbitrary code with elevated privileges. The defect is identified as CWE-290, an authentication bypass flaw, enabling a user who can log into the Windows system to gain higher privileges and potentially compromise system integrity.

Affected Systems

The affected product is Lenovo Smart Connect for Windows. The vendor is Lenovo, and the issue exists in releases prior to 09.0.2.003.000, as the update to that or later versions contains the fix.

Risk and Exploitability

The CVSS score is 7.3, indicating a high severity for local privilege escalation. The EPSS score is not available, so the exploitation likelihood cannot be quantified from the publicly available data, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector requires a local authenticated user to run Smart Connect; no remote access vector is described. An attacker with a user session could leverage the authentication bypass to execute code with elevated privileges, resulting in full control over the affected system.

Generated by OpenCVE AI on June 10, 2026 at 16:20 UTC.

Remediation

Vendor Solution

Update Lenovo Smart Connect for Windows to version 09.0.2.003.000 or later. Smart Connect will prompt the user to download latest version when launched.

OpenCVE Recommended Actions

  • Apply the Lenovo Smart Connect update to version 09.0.2.003.000 or later
  • Disable or uninstall Lenovo Smart Connect if it is not needed, or configure it to run only with non‑elevated privileges
  • Enforce least privilege for local accounts and monitor Windows event logs for anomalous activity

Generated by OpenCVE AI on June 10, 2026 at 16:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Title Authentication Bypass Allowing Local Privilege Escalation

Wed, 10 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 10 Jun 2026 14:45:00 +0000

Type Values Removed Values Added
Description A potential authentication bypass was reported in Lenovo Smart Connect for Windows that could allow a local authenticated user to execute arbitrary code with elevated privileges.
First Time appeared Lenovo
Lenovo smart Connect
Weaknesses CWE-290
CPEs cpe:2.3:a:lenovo:smart_connect:*:*:windows:*:*:*:*:*
Vendors & Products Lenovo
Lenovo smart Connect
References
Metrics cvssV3_1

{'score': 7, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 7.3, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Lenovo Smart Connect
cve-icon MITRE

Status: PUBLISHED

Assigner: lenovo

Published:

Updated: 2026-06-10T16:06:36.704Z

Reserved: 2026-04-10T15:59:03.867Z

Link: CVE-2026-6090

cve-icon Vulnrichment

Updated: 2026-06-10T16:06:33.890Z

cve-icon NVD

Status : Received

Published: 2026-06-10T15:16:42.513

Modified: 2026-06-10T15:16:42.513

Link: CVE-2026-6090

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T16:30:26Z

Weaknesses