Lenovo App Store Path Traversal Vulnerability (CVE-2026-13103) Leading to Arbitrary Code Execution
A critical path traversal vulnerability, identified as CVE-2026-13103, exists in the Lenovo App Store, enabling a local authenticated user to achieve arbitrary code execution on affected Windows systems within the Chinese market.
A significant path traversal vulnerability (CVE-2026-13103) has been reported in the Lenovo App Store, an application distributed exclusively in the Chinese market. This flaw, categorized as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), allows a local authenticated user to execute arbitrary code. The vulnerability affects versions of the Lenovo App Store prior to 9.0.2930.0514 running on Windows operating systems. Successful exploitation could lead to an attacker running malicious code with the privileges of the authenticated user, potentially facilitating further compromise, data manipulation, or system instability. The vulnerability has a CVSS v3.1 base score of 7.3 (High) and requires user interaction for exploitation.
Attack Chain
- A local, authenticated user gains access to a Windows system with the vulnerable Lenovo App Store installed.
- The user identifies the path traversal vulnerability within specific functionalities of the Lenovo App Store.
- The user crafts malicious input containing directory traversal sequences (e.g.,
../,..\) intended for a file path or similar parameter within the application. - The Lenovo App Store processes this malformed input, failing to properly sanitize or validate the path.
- This allows the attacker to write or modify files outside of the intended, restricted directories, potentially into critical system locations or user-controlled execution paths.
- The attacker places a malicious executable or script in a location from which it will be executed (e.g., a startup folder, an overwritten legitimate application binary, or a user-invoked path).
- Upon subsequent user interaction with the application or system, the malicious code is executed.
- Arbitrary code execution is achieved under the context of the local authenticated user.
Impact
Successful exploitation of CVE-2026-13103 can lead to arbitrary code execution within the context of the local authenticated user on affected Windows systems. This could allow an attacker to install additional malicious software, modify system configurations, access or exfiltrate sensitive data, or establish persistence. While this vulnerability requires prior local authentication and user interaction, it significantly escalates the potential for damage once an attacker has established a foothold on a system. The impact is primarily confined to users of the Lenovo App Store in the Chinese market.
Recommendation
- Immediately update the Lenovo App Store to version 9.0.2930.0514 or later to patch CVE-2026-13103.
- Regularly review and enforce principle of least privilege for all local user accounts to minimize the potential impact of successful local exploits.