Description
OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In versions 2.4.16 and prior, the RSS notifier allows .. path traversal in notify-recipient-uri (e.g., rss:///../job.cache), letting a remote IPP client write RSS XML bytes outside CacheDir/rss (anywhere that is lp-writable). In particular, because CacheDir is group-writable by default (typically root:lp and mode 0770), the notifier (running as lp) can replace root-managed state files via temp-file + rename(). This PoC clobbers CacheDir/job.cache with RSS XML, and after restarting cupsd the scheduler fails to parse the job cache and previously queued jobs disappear. At time of publication, there are no publicly available patches.
Published: 2026-04-03
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Upgrade
AI Analysis

Impact

OpenPrinting CUPS versions 2.4.16 and earlier contain a path traversal vulnerability in the RSS notifier’s notify‑recipient‑uri handling. A malicious remote IPP client can submit a URI such as rss:///../job.cache, causing the notifier process, which runs as the lp user, to write arbitrary RSS XML data outside the intended CacheDir/rss directory and overwrite the job.cache file. The replacement of job.cache corrupts the internal job cache and, after a cupsd restart, the scheduler fails to parse it, causing all queued jobs to disappear. This flaw allows an attacker to disrupt printing services without local user privileges, resulting in a denial of service to printers and the loss of queued print jobs.

Affected Systems

All installations of OpenPrinting CUPS 2.4.16 or earlier that have RSS notifications enabled and utilize the default CacheDir permissions (group‑writable by root:lp, mode 0770) are vulnerable. This includes Linux and other Unix-like operating systems that ship CUPS within that version range.

Risk and Exploitability

The CVSS base score of 6.5 indicates moderate severity, and although no EPSS score is provided, the vulnerability is exploitable via the network from a remote IPP client without requiring local privileges. The CVE is not listed in CISA’s KEV catalog. The attacker requires only the ability to send an IPP request to the printer service on port 631, which many public-facing printers may expose.

Generated by OpenCVE AI on April 4, 2026 at 01:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a CUPS version newer than 2.4.16 as soon as a patch is available.
  • If an upgrade is not immediately possible, adjust the CacheDir permissions so that the lp user cannot write outside the directory—for example, set the directory to mode 0700 owned by root:root.
  • Alternatively, if RSS notifications are not essential, disable the RSS notifier by setting EnableRSS to no in the CUPS configuration and restart the cupsd service.

Generated by OpenCVE AI on April 4, 2026 at 01:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 16 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:openprinting:cups:*:*:*:*:*:*:*:*

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Openprinting
Openprinting cups
Vendors & Products Openprinting
Openprinting cups

Mon, 06 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 04 Apr 2026 01:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Fri, 03 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
Description OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In versions 2.4.16 and prior, the RSS notifier allows .. path traversal in notify-recipient-uri (e.g., rss:///../job.cache), letting a remote IPP client write RSS XML bytes outside CacheDir/rss (anywhere that is lp-writable). In particular, because CacheDir is group-writable by default (typically root:lp and mode 0770), the notifier (running as lp) can replace root-managed state files via temp-file + rename(). This PoC clobbers CacheDir/job.cache with RSS XML, and after restarting cupsd the scheduler fails to parse the job cache and previously queued jobs disappear. At time of publication, there are no publicly available patches.
Title OpenPrinting CUPS: Path traversal in RSS notify-recipient-uri enables file write outside CacheDir/rss (and clobbering of job.cache)
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L'}

Subscriptions

Openprinting Cups
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-06T15:42:42.322Z

Reserved: 2026-03-31T19:38:31.617Z

Link: CVE-2026-34978

cve-icon Vulnrichment

Updated: 2026-04-06T15:39:32.575Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-03T22:16:26.947

Modified: 2026-04-16T18:29:46.537

Link: CVE-2026-34978

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-03T21:15:15Z

Links: CVE-2026-34978 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-06T22:22:09Z

Weaknesses