CVE-2026-34978
Received Received - Intake
Path Traversal in CUPS RSS Notifier Allows Cache File Tampering

Publication date: 2026-04-03

Last updated on: 2026-04-16

Assigner: GitHub, Inc.

Description
OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In versions 2.4.16 and prior, the RSS notifier allows .. path traversal in notify-recipient-uri (e.g., rss:///../job.cache), letting a remote IPP client write RSS XML bytes outside CacheDir/rss (anywhere that is lp-writable). In particular, because CacheDir is group-writable by default (typically root:lp and mode 0770), the notifier (running as lp) can replace root-managed state files via temp-file + rename(). This PoC clobbers CacheDir/job.cache with RSS XML, and after restarting cupsd the scheduler fails to parse the job cache and previously queued jobs disappear. At time of publication, there are no publicly available patches.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-03
Last Modified
2026-04-16
Generated
2026-05-07
AI Q&A
2026-04-04
EPSS Evaluated
2026-05-05
NVD
CVE-2026-34978
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
openprinting cups to 2.4.16 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in OpenPrinting CUPS versions 2.4.16 and earlier. It involves the RSS notifier component, which allows a path traversal attack through the notify-recipient-uri parameter. A remote IPP client can exploit this to write RSS XML data outside the intended CacheDir/rss directory, anywhere writable by the lp user. Because CacheDir is group-writable by default, the attacker can replace important root-managed state files by creating temporary files and renaming them. This can corrupt the job cache, causing the print scheduler to fail parsing and resulting in the loss of previously queued print jobs.


How can this vulnerability impact me? :

The vulnerability can lead to denial of service in the printing system by corrupting the job cache. Specifically, an attacker can cause the print scheduler to fail to parse the job cache, which results in the disappearance of previously queued print jobs. This disrupts normal printing operations and may require administrative intervention to restore functionality.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

This vulnerability allows a remote IPP client to perform path traversal and write arbitrary RSS XML bytes outside the intended CacheDir/rss directory, potentially replacing root-managed state files. This can lead to denial of service by causing the scheduler to fail parsing the job cache and losing previously queued jobs.

While the CVE description does not explicitly mention compliance with standards such as GDPR or HIPAA, the ability to manipulate job cache files and disrupt printing services could impact the integrity and availability of printing logs or job data, which may be relevant to regulatory requirements for data integrity and availability.

However, there is no direct information provided about how this vulnerability specifically affects compliance with these regulations.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart