CVE-2026-34990
Received Received - Intake
Authorization Bypass in CUPS Allows Local Root File Overwrite

Publication date: 2026-04-03

Last updated on: 2026-04-16

Assigner: GitHub, Inc.

Description
OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In versions 2.4.16 and prior, a local unprivileged user can coerce cupsd into authenticating to an attacker-controlled localhost IPP service with a reusable Authorization: Local ... token. That token is enough to drive /admin/ requests on localhost, and the attacker can combine CUPS-Create-Local-Printer with printer-is-shared=true to persist a file:///... queue even though the normal FileDevice policy rejects such URIs. Printing to that queue gives an arbitrary root file overwrite; the PoC below uses that primitive to drop a sudoers fragment and demonstrate root command execution. At time of publication, there are no publicly available patches.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-03
Last Modified
2026-04-16
Generated
2026-06-16
AI Q&A
2026-04-04
EPSS Evaluated
2026-06-15
NVD
CVE-2026-34990
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
openprinting cups to 2.4.16 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in OpenPrinting CUPS versions 2.4.16 and prior. A local unprivileged user can trick the CUPS daemon (cupsd) into authenticating to an attacker-controlled localhost IPP service using a reusable Authorization: Local token. This token allows the attacker to perform administrative requests on localhost.

The attacker can use the CUPS-Create-Local-Printer feature combined with the printer-is-shared=true setting to create a persistent file queue with a file:/// URI, which is normally blocked by the FileDevice policy. Printing to this queue enables arbitrary root file overwrites.

A proof of concept demonstrates how this can be exploited to drop a sudoers fragment, leading to root command execution. At the time of publication, no public patches are available.

Impact Analysis

This vulnerability allows a local unprivileged user to escalate privileges to root by exploiting the CUPS printing system. The attacker can overwrite arbitrary root-owned files, potentially gaining full control over the affected system.

Such an exploit can lead to unauthorized root command execution, compromising system integrity, confidentiality, and availability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-34990. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart