Remote Command Execution Vulnerability in Lenovo Personal Cloud Storage Devices
CVE-2026-6281

8.7HIGH

Key Information:

Vendor: Lenovo
Status: Personal Cloud T2s; Personal Cloud T2pro; Personal Cloud X1s; Home Storage Hub T20
Vendor: CVE Published:; 13 May 2026

What is CVE-2026-6281?

A vulnerability has been identified in certain Lenovo Personal Cloud Storage devices allowing a remote authenticated user on the local network to execute arbitrary commands on the device. This flaw poses a significant security risk as it may enable unauthorized users to manipulate device operations and potentially compromise the integrity of the device's data.

Affected Version(s)

Home Storage Hub T20 0 < 5.5.8.t20.1

Home Storage Hub X20 0 < 5.4.4.x20.1

Personal Cloud A1 0 <= 5.4.2.a1.3

References

https://iknow.lenovo.com.cn/detail/440274

https://pc.lenovo.com.cn/tips/Ann/t1_eol.html

CVSS V4

Score:

8.7

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 13, 2026
Vulnerability Reserved
Apr 14, 2026

Credit

Lenovo thanks Wang Jincheng, Professor Yu Le from Nanjing University of Posts and Telecommunications and Professor Luo Xiapu from The Hong Kong Polytechnic University

CVE-2026-6281 Data

JSON