Description
A potential improper file path validation vulnerability was reported in some Lenovo Personal Cloud Storage devices that could allow a remote authenticated user to move or access files belonging to other users on the same device.
Published: 2026-05-13
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Lenovo Personal Cloud devices contain an improper file path validation flaw that allows a remote authenticated user to move or view files belonging to other users on the same device. The vulnerability grants an attacker privilege over confidential user data, enabling data theft, modification, or deletion. It is a direct bypass of the intended access control boundaries and poses a significant confidentiality and integrity risk.

Affected Systems

The flaw affects Lenovo Home Storage Hub T20 and X20 as well as Lenovo Personal Cloud models A1, A1s, T1, T2, T2Pro, T2s, X1, and X1s. No version specific details were provided; any firmware iterations lacking the published patch are potentially vulnerable.

Risk and Exploitability

With a CVSS score of 8.6 the vulnerability is considered high severity. EPSS data is not available and the vulnerability is not listed in CISA KEV, suggesting that public exploitation is not confirmed. Attackers must first authenticate to the device, typically via the web interface or API, and then exploit the path validation weakness to access or alter another user’s files. The attack surface is limited to devices that expose network connectivity, but once accessed, control over all user file data is possible.

Generated by OpenCVE AI on May 13, 2026 at 17:41 UTC.

Remediation

Vendor Solution

Update device firmware to the version indicated in the advisory: https://iknow.lenovo.com.cn/detail/440274

OpenCVE Recommended Actions

  • Update the device firmware to the version described in Lenovo’s advisory
  • Enforce strong authentication and limit account privileges so that users have access only to their own directories
  • Apply network segmentation or firewall rules to restrict external access to the device’s management interface
  • Audit file‑system activity to detect unexpected file movements or accesses

Generated by OpenCVE AI on May 13, 2026 at 17:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 13 May 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 13 May 2026 18:00:00 +0000

Type Values Removed Values Added
Title Improper File Path Validation in Lenovo Personal Cloud Allows User File Access Hijacking

Wed, 13 May 2026 15:15:00 +0000

Type Values Removed Values Added
Description A potential improper file path validation vulnerability was reported in some Lenovo Personal Cloud Storage devices that could allow a remote authenticated user to move or access files belonging to other users on the same device.
First Time appeared Lenovo
Lenovo home Storage Hub T20
Lenovo home Storage Hub X20
Lenovo personal Cloud A1
Lenovo personal Cloud A1s
Lenovo personal Cloud T1
Lenovo personal Cloud T2
Lenovo personal Cloud T2pro
Lenovo personal Cloud T2s
Lenovo personal Cloud X1
Lenovo personal Cloud X1s
Weaknesses CWE-22
CPEs cpe:2.3:a:lenovo:home_storage_hub_t20:*:*:*:*:*:*:*:*
cpe:2.3:a:lenovo:home_storage_hub_x20:*:*:*:*:*:*:*:*
cpe:2.3:a:lenovo:personal_cloud_a1:*:*:*:*:*:*:*:*
cpe:2.3:a:lenovo:personal_cloud_a1s:*:*:*:*:*:*:*:*
cpe:2.3:a:lenovo:personal_cloud_t1:*:*:*:*:*:*:*:*
cpe:2.3:a:lenovo:personal_cloud_t2:*:*:*:*:*:*:*:*
cpe:2.3:a:lenovo:personal_cloud_t2pro:*:*:*:*:*:*:*:*
cpe:2.3:a:lenovo:personal_cloud_t2s:*:*:*:*:*:*:*:*
cpe:2.3:a:lenovo:personal_cloud_x1:*:*:*:*:*:*:*:*
cpe:2.3:a:lenovo:personal_cloud_x1s:*:*:*:*:*:*:*:*
Vendors & Products Lenovo
Lenovo home Storage Hub T20
Lenovo home Storage Hub X20
Lenovo personal Cloud A1
Lenovo personal Cloud A1s
Lenovo personal Cloud T1
Lenovo personal Cloud T2
Lenovo personal Cloud T2pro
Lenovo personal Cloud T2s
Lenovo personal Cloud X1
Lenovo personal Cloud X1s
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N'}

cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Lenovo Home Storage Hub T20 Home Storage Hub X20 Personal Cloud A1 Personal Cloud A1s Personal Cloud T1 Personal Cloud T2 Personal Cloud T2pro Personal Cloud T2s Personal Cloud X1 Personal Cloud X1s
cve-icon MITRE

Status: PUBLISHED

Assigner: lenovo

Published:

Updated: 2026-05-13T18:28:18.601Z

Reserved: 2026-04-14T14:42:10.875Z

Link: CVE-2026-6282

cve-icon Vulnrichment

Updated: 2026-05-13T18:28:14.826Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-13T16:17:01.960

Modified: 2026-05-13T16:27:11.127

Link: CVE-2026-6282

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-17T19:41:57Z

Weaknesses