Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-ry9y-z4e4-yfdh
Vulnerability ID VCID-ry9y-z4e4-yfdh
Aliases CVE-2026-34990
Summary OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In versions 2.4.16 and prior, a local unprivileged user can coerce cupsd into authenticating to an attacker-controlled localhost IPP service with a reusable Authorization: Local ... token. That token is enough to drive /admin/ requests on localhost, and the attacker can combine CUPS-Create-Local-Printer with printer-is-shared=true to persist a file:///... queue even though the normal FileDevice policy rejects such URIs. Printing to that queue gives an arbitrary root file overwrite; the PoC below uses that primitive to drop a sudoers fragment and demonstrate root command execution. At time of publication, there are no publicly available patches.
Status Published
Exploitability 0.5
Weighted Severity 7.0
Risk 3.5
Affected and Fixed Packages Package Details
Weaknesses (2)
CWE-73 External Control of File Name or Path
CWE-287 Improper Authentication
System Score Found at
cvssv3 5.2 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-34990.json
epss 0.00011 https://api.first.org/data/v1/epss?cve=CVE-2026-34990
epss 0.00011 https://api.first.org/data/v1/epss?cve=CVE-2026-34990
epss 0.00011 https://api.first.org/data/v1/epss?cve=CVE-2026-34990
epss 0.00013 https://api.first.org/data/v1/epss?cve=CVE-2026-34990
epss 0.00013 https://api.first.org/data/v1/epss?cve=CVE-2026-34990
epss 0.00013 https://api.first.org/data/v1/epss?cve=CVE-2026-34990
epss 0.00013 https://api.first.org/data/v1/epss?cve=CVE-2026-34990
epss 0.00013 https://api.first.org/data/v1/epss?cve=CVE-2026-34990
epss 0.00013 https://api.first.org/data/v1/epss?cve=CVE-2026-34990
cvssv3.1 7.8 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1 7.8 https://github.com/OpenPrinting/cups/security/advisories/GHSA-c54j-2vqw-wpwp
cvssv4 5 https://github.com/OpenPrinting/cups/security/advisories/GHSA-c54j-2vqw-wpwp
ssvc Track* https://github.com/OpenPrinting/cups/security/advisories/GHSA-c54j-2vqw-wpwp
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-34990.json
https://api.first.org/data/v1/epss?cve=CVE-2026-34990
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34990
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
1132716 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132716
2454947 https://bugzilla.redhat.com/show_bug.cgi?id=2454947
GHSA-c54j-2vqw-wpwp https://github.com/OpenPrinting/cups/security/advisories/GHSA-c54j-2vqw-wpwp
RHSA-2026:8814 https://access.redhat.com/errata/RHSA-2026:8814
No exploits are available.
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-34990.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/OpenPrinting/cups/security/advisories/GHSA-c54j-2vqw-wpwp
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:H/SI:H/SA:L Found at https://github.com/OpenPrinting/cups/security/advisories/GHSA-c54j-2vqw-wpwp
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-06T18:51:42Z/ Found at https://github.com/OpenPrinting/cups/security/advisories/GHSA-c54j-2vqw-wpwp
Exploit Prediction Scoring System (EPSS)
Percentile 0.01448
EPSS Score 0.00011
Published At April 7, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-04-04T14:49:55.245519+00:00 Debian Oval Importer Import https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2 38.1.0