CVE-2026-34990
Authorization Bypass in CUPS Allows Local Root File Overwrite
Publication date: 2026-04-03
Last updated on: 2026-04-16
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openprinting | cups | to 2.4.16 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-287 | When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in OpenPrinting CUPS versions 2.4.16 and prior. A local unprivileged user can trick the CUPS daemon (cupsd) into authenticating to an attacker-controlled localhost IPP service using a reusable Authorization: Local token. This token allows the attacker to perform administrative requests on localhost.
The attacker can use the CUPS-Create-Local-Printer feature combined with the printer-is-shared=true setting to create a persistent file queue with a file:/// URI, which is normally blocked by the FileDevice policy. Printing to this queue enables arbitrary root file overwrites.
A proof of concept demonstrates how this can be exploited to drop a sudoers fragment, leading to root command execution. At the time of publication, no public patches are available.
How can this vulnerability impact me? :
This vulnerability allows a local unprivileged user to escalate privileges to root by exploiting the CUPS printing system. The attacker can overwrite arbitrary root-owned files, potentially gaining full control over the affected system.
Such an exploit can lead to unauthorized root command execution, compromising system integrity, confidentiality, and availability.