Skip to main content

Red Hat EUVDEUVD-2026-18889

| CVE-2026-34990 MEDIUM
Improper Authentication (CWE-287)
2026-04-03 GitHub_M
5.0
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.0 MEDIUM
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:H/SI:H/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
SUSE
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Red Hat
5.2 MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:H/SI:H/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
EUVD ID Assigned
Apr 03, 2026 - 21:30 euvd
EUVD-2026-18889
Analysis Generated
Apr 03, 2026 - 21:30 vuln.today
CVE Published
Apr 03, 2026 - 21:14 nvd
MEDIUM 5.0

DescriptionGitHub Advisory

OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In versions 2.4.16 and prior, a local unprivileged user can coerce cupsd into authenticating to an attacker-controlled localhost IPP service with a reusable Authorization: Local ... token. That token is enough to drive /admin/ requests on localhost, and the attacker can combine CUPS-Create-Local-Printer with printer-is-shared=true to persist a file:///... queue even though the normal FileDevice policy rejects such URIs. Printing to that queue gives an arbitrary root file overwrite; the PoC below uses that primitive to drop a sudoers fragment and demonstrate root command execution. At time of publication, there are no publicly available patches.

AnalysisAI

Local privilege escalation in OpenPrinting CUPS 2.4.16 and prior allows unprivileged users to bypass authentication and create arbitrary file overwrites as root by coercing cupsd into issuing reusable Authorization tokens and leveraging printer-sharing policies to persist file:// URIs that bypass FileDevice restrictions. A proof-of-concept demonstrates root command execution via sudoers file modification, and the vulnerability is confirmed by the presence of public exploit code.

Technical ContextAI

OpenPrinting CUPS is a printing system daemon (cupsd) that handles IPP (Internet Printing Protocol) requests and manages printer queues. The vulnerability exploits a flaw in CUPS' authentication token handling and authorization policy enforcement (CWE-287: Improper Authentication). A local attacker can set up a rogue localhost IPP service to intercept cupsd's outbound authentication requests, capture the Authorization: Local token, and replay it to access administrative endpoints. The attack chain leverages two policy gaps: (1) CUPS generates reusable authentication tokens for localhost connections without sufficient scope restriction, and (2) the printer-is-shared=true parameter in CUPS-Create-Local-Printer requests bypasses the normal FileDevice URI policy that would reject file:/// schemes. This allows creation of persistent printer queues pointing to arbitrary filesystem paths. When a print job is sent to such a queue, cupsd executes it as root, enabling arbitrary file writes. The affected component is cpe:2.3:a:openprinting:cups:*:*:*:*:*:*:*:* (all versions through 2.4.16).

RemediationAI

At the time of publication, no vendor-released patch was available. Monitor the OpenPrinting CUPS GitHub security advisory (https://github.com/OpenPrinting/cups/security/advisories/GHSA-c54j-2vqw-wpwp) for patched versions and apply them immediately upon release. Interim mitigations include restricting local user access to CUPS sockets and administrative interfaces via file-system permissions, disabling or strictly controlling the ability for unprivileged users to create shared printer queues, and limiting network access to localhost IPP services if possible. Organizations should prioritize patching CUPS on systems where unprivileged local users have accounts or where container/VM escape vectors could grant local access.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 SUSE Linux Enterprise High Performance Computing 15 SP7 SUSE Linux Enterprise Server 15 SP7 SUSE Linux Enterprise Server for SAP Applications 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS Fixed
SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS Fixed
SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS Fixed
SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS Fixed

Share

EUVD-2026-18889 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy