CVE-2026-34980
Command Injection in OpenPrinting CUPS via Unauthenticated Print-Job
Publication date: 2026-04-03
Last updated on: 2026-04-16
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openprinting | cups | to 2.4.16 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in OpenPrinting CUPS versions 2.4.16 and earlier, specifically when the cupsd service is network-exposed with a shared target queue. An unauthorized client can send a Print-Job to the shared PostScript queue without needing to authenticate.
The vulnerability arises because the server accepts a page-border value as textWithoutLanguage, preserves an embedded newline through option escaping and reparsing, and then treats the resulting second-line PPD text as a trusted scheduler control record.
This allows an attacker to submit a follow-up raw print job that can cause the server to execute an existing binary of the attacker's choice, such as /usr/bin/vim, under the lp user.
At the time of publication, no public patches are available to fix this issue.
How can this vulnerability impact me? :
This vulnerability can allow an unauthorized attacker to execute arbitrary code on the server running the CUPS printing system.
By exploiting this flaw, an attacker can run existing binaries with the privileges of the lp user, potentially leading to unauthorized actions on the system.
This could result in compromise of the printing server, unauthorized access to system resources, and potentially further escalation depending on the environment.