CVE-2026-34990 Overview
OpenPrinting CUPS, the open-source printing system for Linux and other Unix-like operating systems, contains an authentication bypass vulnerability in versions 2.4.16 and prior. A local unprivileged user can coerce cupsd into authenticating to an attacker-controlled localhost IPP service with a reusable Authorization: Local token. This token provides sufficient access to drive /admin/ requests on localhost, enabling the attacker to combine CUPS-Create-Local-Printer with printer-is-shared=true to persist a file:/// queue, even though the normal FileDevice policy rejects such URIs. Printing to that queue enables arbitrary root file overwrite, ultimately leading to root command execution.
Critical Impact
Local privilege escalation to root through authentication token coercion and arbitrary file overwrite, enabling complete system compromise on affected Linux and Unix systems.
Affected Products
- OpenPrinting CUPS versions 2.4.16 and prior
- Linux distributions shipping vulnerable CUPS packages
- Unix-like operating systems with affected CUPS installations
Discovery Timeline
- 2026-04-03 - CVE CVE-2026-34990 published to NVD
- 2026-04-07 - Last updated in NVD database
Technical Details for CVE-2026-34990
Vulnerability Analysis
This vulnerability (CWE-287: Improper Authentication) stems from a flaw in how the CUPS daemon handles local authentication tokens. The attack chain requires local access but can lead to complete root-level compromise of the affected system.
The core issue lies in the authentication mechanism where cupsd can be tricked into authenticating to an attacker-controlled IPP service. The resulting Authorization: Local token is reusable and provides administrative access to CUPS functionality. This authentication bypass allows attackers to circumvent the FileDevice policy restriction that normally prevents the creation of printer queues pointing to arbitrary file system locations.
The attack leverages the CUPS-Create-Local-Printer operation with the printer-is-shared=true parameter, allowing the creation of a persistent file:/// printer queue. When a document is printed to this malicious queue, the output is written to an arbitrary file path with root privileges, enabling the attacker to overwrite critical system files such as sudoers configurations.
Root Cause
The root cause is an improper authentication implementation (CWE-287) in the CUPS daemon's handling of local authorization tokens. The vulnerability allows authentication coercion where an unprivileged user can manipulate cupsd to generate and expose reusable administrative tokens. Combined with insufficient validation of printer device URIs when using the local printer creation API, this creates a privilege escalation path from local user to root.
Attack Vector
This is a local attack vector requiring an unprivileged user account on the target system. The exploitation chain proceeds as follows:
- The attacker sets up a malicious localhost IPP service designed to capture authentication tokens
- The attacker coerces cupsd into authenticating to this malicious service
- The attacker captures and reuses the Authorization: Local token
- Using administrative privileges, the attacker creates a printer queue pointing to a file:/// URI with printer-is-shared=true
- The attacker prints a crafted document to overwrite a privileged file (e.g., /etc/sudoers.d/ fragment)
- The attacker leverages the modified sudoers configuration to execute commands as root
The proof-of-concept described in the advisory demonstrates dropping a sudoers fragment to achieve root command execution. For detailed technical information, refer to the GitHub Security Advisory.
Detection Methods for CVE-2026-34990
Indicators of Compromise
- Unexpected printer queues with file:/// device URIs in CUPS configuration
- Modified or newly created files in /etc/sudoers.d/ directory without administrative action
- Suspicious IPP service processes running on localhost ports
- Unusual cupsd authentication activity in system logs
Detection Strategies
- Monitor CUPS error and access logs for unexpected administrative operations or printer creation events
- Implement file integrity monitoring (FIM) on critical system files including /etc/sudoers.d/, /etc/passwd, and CUPS configuration directories
- Audit for unauthorized printer queue creations, particularly those with file-based device URIs
- Deploy endpoint detection to identify privilege escalation attempts following CUPS exploitation patterns
Monitoring Recommendations
- Enable verbose logging for the CUPS daemon to capture detailed authentication and administrative operation records
- Configure security alerts for any modifications to CUPS printer configurations that include file:/// URIs
- Monitor for unusual process spawning patterns that may indicate successful privilege escalation to root
- Implement network monitoring to detect local IPP traffic anomalies indicative of authentication coercion attacks
How to Mitigate CVE-2026-34990
Immediate Actions Required
- Restrict local access to systems running vulnerable CUPS versions to trusted users only
- Review and audit all existing printer configurations for suspicious file:/// device URIs
- Implement strict access controls on the CUPS administrative interface
- Consider temporarily disabling the CUPS service on systems where printing is not critical
Patch Information
At the time of publication, there are no publicly available patches for this vulnerability. Organizations should monitor the OpenPrinting CUPS GitHub Security Advisory for updates on patch availability. When a patch is released, apply it immediately to all affected systems.
Workarounds
- Disable the cups-browsed service if not required for your printing infrastructure
- Configure firewall rules to restrict IPP traffic on localhost ports
- Implement AppArmor or SELinux policies to limit cupsd capabilities and file system access
- Remove or restrict access to the /admin/ CUPS web interface
# Configuration example - Restrict CUPS administrative access
# Edit /etc/cups/cupsd.conf to limit administrative access
# Restrict admin pages to specific authorized users
<Location /admin>
AuthType Default
Require user @SYSTEM
Order deny,allow
Deny from all
Allow from localhost
</Location>
# Disable remote printer browsing if not needed
Browsing Off
BrowseLocalProtocols none
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
