Lenovo PCCS Path Validation Flaw Allows Authenticated File Access
CVE-2026-6282 Published on May 13, 2026
A potential improper file path validation vulnerability was reported in some Lenovo Personal Cloud Storage devices that could allow a remote authenticated user to move or access files belonging to other users on the same device.
Vulnerability Analysis
CVE-2026-6282 is exploitable with network access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality and integrity, and no impact on availability.
Weakness Type
What is a Directory traversal Vulnerability?
The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
CVE-2026-6282 has been classified to as a Directory traversal vulnerability or weakness.
Products Associated with CVE-2026-6282
Want to know whenever a new CVE is published for Lenovo products? stack.watch will email you.
Affected Versions
Lenovo Personal Cloud T2s:- Before 5.5.6.t2s.3 is affected.
- Before 5.4.8.t2pro.2 is affected.
- Before 5.4.8.x1s.2 is affected.
- Before 5.5.8.t20.1 is affected.
- Before 5.4.4.x20.1 is affected.
- Before and including 5.4.0.t1.6 is affected.
- Before and including 5.4.2.a1.3 is affected.
- Before and including 5.5.6.a1s is affected.
- Before and including 5.4.5.t2.2 is affected.
- Before and including 5.4.7.x1.1 is affected.