Improper File Path Validation in Lenovo Personal Cloud Storage Devices
CVE-2026-6282

8.6HIGH

Key Information:

Vendor: Lenovo
Status: Personal Cloud T2s; Personal Cloud T2pro; Personal Cloud X1s; Home Storage Hub T20
Vendor: CVE Published:; 13 May 2026

What is CVE-2026-6282?

A potential vulnerability in Lenovo Personal Cloud Storage devices has been identified, allowing a remote authenticated user to improperly access or move files belonging to other users. This flaw arises from inadequate validation of file paths, which may compromise user data integrity and privacy within shared storage environments. If exploited, this vulnerability could lead to unauthorized access to sensitive files, raising significant security concerns for users relying on these devices for personal storage solutions.

Affected Version(s)

Home Storage Hub T20 0 < 5.5.8.t20.1

Home Storage Hub X20 0 < 5.4.4.x20.1

Personal Cloud A1 0 <= 5.4.2.a1.3

References

https://iknow.lenovo.com.cn/detail/440274

https://pc.lenovo.com.cn/tips/Ann/t1_eol.html

CVSS V4

Score:

8.6

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 13, 2026
Vulnerability Reserved
Apr 14, 2026

Credit

Lenovo thanks Wang Jincheng, Professor Yu Le from Nanjing University of Posts and Telecommunications and Professor Luo Xiapu from The Hong Kong Polytechnic University

CVE-2026-6282 Data

JSON