CVE-2026-34990
OpenPrinting CUPS: Local print admin token disclosure using temporary printers
In short
A local user can trick CUPS (a printing system) into revealing an authentication token that allows them to create fake printers and overwrite system files as root. This could let an unprivileged user gain complete control of the computer.
Technical detail
CWE-287 (Improper Authentication) allows a local unprivileged attacker to coerce cupsd into authenticating to an attacker-controlled localhost IPP service, obtaining a reusable Authorization token. The attacker then exploits CUPS-Create-Local-Printer with printer-is-shared=true to bypass FileDevice URI restrictions, enabling arbitrary file overwrite as root via malicious print queue operations.
Summary generated and translated by AI from the official description.
OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In versions 2.4.16 and prior, a local unprivileged user can coerce cupsd into authenticating to an attacker-controlled localhost IPP service with a reusable Authorization: Local ... token. That token is enough to drive /admin/ requests on localhost, and the attacker can combine CUPS-Create-Local-Printer with printer-is-shared=true to persist a file:///... queue even though the normal FileDevice policy rejects such URIs. Printing to that queue gives an arbitrary root file overwrite; the PoC below uses that primitive to drop a sudoers fragment and demonstrate root command execution. At time of publication, there are no publicly available patches.
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:H/SI:H/SA:L
Affected products
OpenPrinting · cupsWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →