CVE-2026-27447
Authorization Bypass in CUPS Daemon via Case-Insensitive Username
Publication date: 2026-04-03
Last updated on: 2026-04-22
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openprinting | cups | to 2.4.16 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the CUPS daemon (cupsd) of OpenPrinting CUPS versions 2.4.16 and earlier. It is caused by an authorization bypass due to case-insensitive username comparison during authorization checks.
Because the system treats usernames that differ only in letter case as equivalent, an unprivileged user can gain unauthorized access to restricted operations by using a username that differs only in case from an authorized user.
How can this vulnerability impact me? :
This vulnerability can allow an unprivileged user to perform restricted operations that they should not have access to by exploiting the case-insensitive username comparison.
Such unauthorized access could lead to unauthorized printing operations or manipulation of the printing system, potentially compromising system integrity or confidentiality.
What immediate steps should I take to mitigate this vulnerability?
At the time of publication, there are no publicly available patches for this vulnerability.
To mitigate the risk, consider restricting user account creation to avoid usernames that differ only in case from authorized users.
Additionally, monitor and limit access to the CUPS daemon to trusted users only, and apply strict access controls where possible.