Description
OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In versions 2.4.16 and prior, a local unprivileged user can coerce cupsd into authenticating to an attacker-controlled localhost IPP service with a reusable Authorization: Local ... token. That token is enough to drive /admin/ requests on localhost, and the attacker can combine CUPS-Create-Local-Printer with printer-is-shared=true to persist a file:///... queue even though the normal FileDevice policy rejects such URIs. Printing to that queue gives an arbitrary root file overwrite; the PoC below uses that primitive to drop a sudoers fragment and demonstrate root command execution. At time of publication, there are no publicly available patches.
Published: 2026-04-03
Score: 5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Root-level file overwrite leading to privilege escalation
Action: Apply patch
AI Analysis

Impact

The vulnerability appears in OpenPrinting CUPS versions 2.4.16 and earlier. An unprivileged local user can trick the CUPS server into authenticating to a malicious localhost IPP service using a reusable Local token. That token allows the attacker to make administrative requests on localhost, and by creating a shared local printer with a file:// URI, the attacker can persist a malicious queue. Printing to that queue triggers an arbitrary root file overwrite, which the proof‑of‑concept shows can drop a sudoers fragment and execute commands with root privileges. The weakness involves authentication bypass (CWE-287) and path manipulation (CWE-73).

Affected Systems

OpenPrinting CUPS 2.4.16 and earlier running on Linux or other Unix‑like operating systems are affected. This includes any distribution that ships the 2.4.16 release or older versions of CUPS.

Risk and Exploitability

The CVSS score of 5.0 denotes a moderate risk. The EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog, suggesting it may not yet be widely exploited. However, the attack requires only local, unprivileged user access, making the exploitation barrier low within a compromised host. Once authenticated via the Local token, administrative actions on the CUPS server can be performed, allowing the attacker to persist malicious printers and achieve root-level file overwrite.

Generated by OpenCVE AI on April 4, 2026 at 03:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Seek and apply vendor patch once released.
  • Limit local users’ permissions to create printers; configure the system to deny the use of file:// URIs for printers.
  • Disable or restrict local IPP authentication for non‑trusted sources.
  • Monitor the system for unauthorized printer creation and ensure FileDevice policies are correctly enforced.
  • Consider disabling the CUPS service on hosts where service is unnecessary.

Generated by OpenCVE AI on April 4, 2026 at 03:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 16 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:openprinting:cups:*:*:*:*:*:*:*:*

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Openprinting
Openprinting cups
Vendors & Products Openprinting
Openprinting cups

Mon, 06 Apr 2026 20:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.2, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Sat, 04 Apr 2026 01:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-73
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.2, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

threat_severity

Moderate

Fri, 03 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
Description OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In versions 2.4.16 and prior, a local unprivileged user can coerce cupsd into authenticating to an attacker-controlled localhost IPP service with a reusable Authorization: Local ... token. That token is enough to drive /admin/ requests on localhost, and the attacker can combine CUPS-Create-Local-Printer with printer-is-shared=true to persist a file:///... queue even though the normal FileDevice policy rejects such URIs. Printing to that queue gives an arbitrary root file overwrite; the PoC below uses that primitive to drop a sudoers fragment and demonstrate root command execution. At time of publication, there are no publicly available patches.
Title OpenPrinting CUPS: Local print admin token disclosure using temporary printers
Weaknesses CWE-287
References
Metrics cvssV4_0

{'score': 5, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:H/SI:H/SA:L'}

Subscriptions

Openprinting Cups
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-06T18:52:04.074Z

Reserved: 2026-03-31T19:38:31.618Z

Link: CVE-2026-34990

cve-icon Vulnrichment

Updated: 2026-04-06T18:51:58.185Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-03T22:16:27.400

Modified: 2026-04-16T18:15:24.430

Link: CVE-2026-34990

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-03T21:14:09Z

Links: CVE-2026-34990 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-06T22:22:10Z

Weaknesses