Description
OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In versions 2.4.16 and prior, CUPS daemon (cupsd) contains an authorization bypass vulnerability due to case-insensitive username comparison during authorization checks. The vulnerability allows an unprivileged user to gain unauthorized access to restricted operations by using a user with a username that differs only in case from an authorized user. At time of publication, there are no publicly available patches.
Published: 2026-04-03
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized privileged access to restricted CUPS operations
Action: Assess Impact
AI Analysis

Impact

The vulnerability arises from a case‑insensitive comparison of usernames during CUPS authorization checks. An attacker who can create or use a user account whose name differs only in case from an authorized user can exercise privileged operations normally reserved for that authorized user. This bypass grants unauthorized access to restricted printing functions, potentially allowing the attacker to query protected information, modify print jobs, or otherwise abuse printing services. The weakness corresponds to improper comparison logic (CWE‑178) and insufficient privilege checks (CWE‑863).

Affected Systems

The issue affects the OpenPrinting CUPS printing system for Linux and other Unix‑like operating systems. Vulnerable versions are CUPS 2.4.16 and all earlier releases. The product is maintained by the OpenPrinting project, and the vulnerability is reported in the CUPS daemon (cupsd).

Risk and Exploitability

The CVSS score of 4.8 indicates moderate severity. With no EPSS data and not listed in the KEV catalog, the exploitation likelihood is unclear, but the flaw can potentially be leveraged by users who have local or network access to the CUPS service. Based on the description, the attack likely requires an unprivileged user to interact with the CUPS daemon, which could be achieved through a local shell or through network requests if the service is exposed. Because the vulnerability permits an unauthorized privileged operation, successful exploitation would compromise confidentiality, integrity, or availability of the printing infrastructure. Until a patch is published, the risk remains elevated for systems exposing CUPS without proper access controls.

Generated by OpenCVE AI on April 4, 2026 at 03:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Verify the CUPS version and ensure you are not running 2.4.16 or older.
  • Apply any available patches or updates from OpenPrinting as soon as they are released.
  • If a patch is not yet available, consider disabling the CUPS service or restricting its network exposure with firewall rules.
  • Limit local user accounts with printing privileges to trusted personnel and monitor for suspicious activity.

Generated by OpenCVE AI on April 4, 2026 at 03:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:openprinting:cups:*:*:*:*:*:*:*:*

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Openprinting
Openprinting cups
Vendors & Products Openprinting
Openprinting cups

Mon, 06 Apr 2026 20:00:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 04 Apr 2026 01:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-178
References
Metrics threat_severity

None

 threat_severity

Moderate

Fri, 03 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
Description OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In versions 2.4.16 and prior, CUPS daemon (cupsd) contains an authorization bypass vulnerability due to case-insensitive username comparison during authorization checks. The vulnerability allows an unprivileged user to gain unauthorized access to restricted operations by using a user with a username that differs only in case from an authorized user. At time of publication, there are no publicly available patches.
Title OpenPrinting CUPS: Authorization bypass via case-insensitive group-member lookup
Weaknesses CWE-863
References
Metrics cvssV3_1

{'score': 4.8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:L/A:N'}

Subscriptions

Openprinting Cups
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-06T18:50:21.909Z

Reserved: 2026-02-19T17:25:31.100Z

Link: CVE-2026-27447

cve-icon Vulnrichment

Updated: 2026-04-06T18:49:52.294Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-03T22:16:25.193

Modified: 2026-04-22T16:20:51.083

Link: CVE-2026-27447

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-03T21:11:59Z

Links: CVE-2026-27447 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-06T22:22:11Z

Weaknesses