CVE-2026-34990

OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In versions 2.4.16 and prior, a local unprivileged user can coerce cupsd into authenticating to an attacker-controlled localhost IPP service with a reusable Authorization: Local ... token. That token is enough to drive /admin/ requests on localhost, and the attacker can combine CUPS-Create-Local-Printer with printer-is-shared=true to persist a file:///... queue even though the normal FileDevice policy rejects such URIs. Printing to that queue gives an arbitrary root file overwrite; the PoC below uses that primitive to drop a sudoers fragment and demonstrate root command execution. At time of publication, there are no publicly available patches.

Database specific

{
    "cwe_ids": [
        "CWE-287"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/34xxx/CVE-2026-34990.json",
    "cna_assigner": "GitHub_M"
}

References

Affected packages

Git / github.com/openprinting/cups

Affected ranges

Type

GIT

Repo

https://github.com/openprinting/cups

Events

Introduced

Last affected

7523763f00d2063f88026d93bc5b29806240de2b

Database specific

{
    "source": "AFFECTED_FIELD",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "2.4.16"
        }
    ]
}

Affected versions

v2.*

v2.2.0

v2.2.1

v2.2.2

v2.2.3

v2.2.4

v2.2.5

v2.2.6

v2.2b1

v2.2b2

v2.2rc1

v2.3.0

v2.3.1

v2.3.3

v2.3.3op1

v2.3.3op2

v2.3b1

v2.3b2

v2.3b3

v2.3b4

v2.3b5

v2.3b6

v2.3b7

v2.3b8

v2.3rc1

v2.4.0

v2.4.1

v2.4.10

v2.4.11

v2.4.12

v2.4.13

v2.4.14

v2.4.15

v2.4.16

v2.4.2

v2.4.3

v2.4.4

v2.4.5

v2.4.6

v2.4.7

v2.4.8

v2.4.9

v2.4b1

v2.4rc1

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-34990.json"