CVE-2026-8637: A potential uncontrolled search path vulnerability was reported in the LanSchool Classic client application that could allow a local authenticated user to execute arbitrary code with elevated privileges
A potential uncontrolled search path vulnerability was reported in the LanSchool Classic client application that could allow a local authenticated user to execute arbitrary code with elevated privileges.
Metrics
- CVSS v4.0
- 8.5
- Severity
- HIGH
- Fixed in
- 9.3.1.30
- Affected Products
- 1
HarborGuard Analysis
Synopsis
An uncontrolled search path vulnerability affects the LanSchool Classic client application by Lenovo in versions below 9.3.1.30. The flaw is exploited locally by an authenticated user with low-level privileges, requiring no network access. Successful exploitation allows the attacker to execute arbitrary code with elevated privileges on the host. A patched-image rebuild at version 9.3.1.30 is available on HarborGuard for environments running an affected version.
HarborGuard Coverage
Detection of CVE-2026-8637 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of publication from upstream advisory feeds. Coverage extends to custom-built images that bundle the LanSchool Classic client, not only upstream base images.
AvailableTriage is available with the CVSS v4.0 score of 8.5 (HIGH) applied to each matched image, weighted against per-environment compliance policy to determine urgency. Findings are routable to the appropriate team inbox within each customer organization based on policy configuration.
AvailableA patched-image rebuild at LanSchool Classic version 9.3.1.30 becomes available on HarborGuard for any image found to carry an affected version. For customers who opt into auto-remediation, the platform can run a regression test suite and open a PR against affected workloads automatically.
AvailableExploit Conditions
- Network reachabilityNot required
The attacker needs an existing shell or process on the host; no network-facing exposure is required.
- AuthenticationRequired
Any low-privilege local account is sufficient; the attacker does not need administrative credentials to trigger the vulnerability.
- Victim interactionNot required
No action from another user or victim is needed; the attacker can exploit the flaw entirely on their own.
- Attack complexityDetail
The exploit is reliable and condition-free, with no race conditions or special environmental factors required.
Blast Radius
- Attacker executes arbitrary code on the host with elevated privileges, gaining control beyond the original low-privilege account.
- Confidential data stored on the host, including files and credentials accessible to higher-privilege processes, becomes readable to the attacker.
- The attacker can modify files, configuration, or persisted data on the host system.
- Local system availability can be disrupted, including termination of processes or corruption of application state.
How HarborGuard Handles This
Available on HarborGuard: detection of this vulnerability runs against all customer images within minutes of CVE publication, covering both upstream and internally built images that include the LanSchool Classic client. Where compliance policy permits, a patched rebuild at version 9.3.1.30 is made available automatically. For customers who opt into auto-remediation, HarborGuard can rebuild the image, run a regression test, and open a PR against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in environments with auto-remediation enabled. Customers not yet on auto-remediation can access the patched image through the HarborGuard registry and apply it manually.
Fix available
- Lenovo / LanSchool Classic< 9.3.1.30 (from 0)
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N