CVE-2026-34978
OpenPrinting CUPS: Path traversal in RSS notify-recipient-uri enables file write outside CacheDir/rss (and clobbering of job.cache)
In short
OpenPrinting CUPS has a flaw where an attacker can use path traversal tricks to write files outside the intended folder, potentially corrupting system files and causing print jobs to be lost. This happens through a remote printing request that tricks the RSS notification system.
Technical detail
CWE-22 path traversal vulnerability in the RSS notifier component allows remote IPP clients to bypass directory restrictions via .. sequences in notify-recipient-uri parameter. The notifier process (running as lp user) can write to group-writable directories and overwrite critical state files like job.cache using a rename operation, causing data loss and scheduler failures upon restart.
Summary generated and translated by AI from the official description.
OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In versions 2.4.16 and prior, the RSS notifier allows .. path traversal in notify-recipient-uri (e.g., rss:///../job.cache), letting a remote IPP client write RSS XML bytes outside CacheDir/rss (anywhere that is lp-writable). In particular, because CacheDir is group-writable by default (typically root:lp and mode 0770), the notifier (running as lp) can replace root-managed state files via temp-file + rename(). This PoC clobbers CacheDir/job.cache with RSS XML, and after restarting cupsd the scheduler fails to parse the job cache and previously queued jobs disappear. At time of publication, there are no publicly available patches.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Affected products
OpenPrinting · cupsWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →