CVE-2026-34990
Published: 03 April 2026
Summary
CVE-2026-34990 is a high-severity Improper Authentication (CWE-287) vulnerability in Openprinting Cups. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 2.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-7 (Software, Firmware, and Information Integrity).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Prohibits nonessential CUPS functionality such as printer sharing and local admin features, directly preventing local unprivileged users from creating persistent malicious file:/// queues.
Enforces least privilege to restrict unprivileged local user interactions with cupsd and limit the service's ability to perform arbitrary root file overwrites.
Monitors integrity of critical root-owned files like sudoers to detect unauthorized overwrites resulting from exploitation of the malicious printer queue.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability directly enables local privilege escalation from unprivileged user to root by bypassing CUPS authentication and FileDevice policy to create a rogue file:/// printer queue for arbitrary root file overwrites (e.g., sudoers modification).
NVD Description
OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In versions 2.4.16 and prior, a local unprivileged user can coerce cupsd into authenticating to an attacker-controlled localhost IPP service with a reusable Authorization: Local…
more
... token. That token is enough to drive /admin/ requests on localhost, and the attacker can combine CUPS-Create-Local-Printer with printer-is-shared=true to persist a file:///... queue even though the normal FileDevice policy rejects such URIs. Printing to that queue gives an arbitrary root file overwrite; the PoC below uses that primitive to drop a sudoers fragment and demonstrate root command execution. At time of publication, there are no publicly available patches.
Deeper analysisAI
CVE-2026-34990 is a vulnerability in OpenPrinting CUPS, an open source printing system for Linux and other Unix-like operating systems, affecting versions 2.4.16 and prior. It enables a local unprivileged user to coerce the cupsd daemon into authenticating to an attacker-controlled localhost IPP service using a reusable Authorization: Local token. This token grants sufficient access to issue /admin/ requests on localhost, allowing the creation of a persistent file:/// printer queue via CUPS-Create-Local-Printer with printer-is-shared=true, bypassing the normal FileDevice policy that rejects such URIs.
A local unprivileged attacker can exploit this by setting up a malicious localhost IPP service to capture the authentication token from cupsd. Using the token, the attacker drives administrative actions to establish the rogue printer queue. Printing to this queue then permits arbitrary root-owned file overwrites; a proof-of-concept demonstrates this by dropping a sudoers fragment to achieve root command execution. The vulnerability has a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-287 (Improper Authentication).
The GitHub security advisory (GHSA-c54j-2vqw-wpwp) states that, at the time of publication on 2026-04-03, there are no publicly available patches. Security practitioners should monitor for updates from the OpenPrinting CUPS project and consider restricting local unprivileged user access to cupsd or disabling unnecessary printing services until mitigation is available.
Details
- CWE(s)