Vulnerability Report

CVE-2026-34978

Title: Path traversal in CUPS RSS notifier leading to arbitrary file write

Arbitrary File Access

Proof Of Concept

No public PoC currently indexed for CVE-2026-34978.

CWE Category CWE-22

Published Date Apr 03, 2026

Modified Date Apr 16, 2026

Exploit Status Not Found

Score 6.5 CVSS v3.1

Exploit Probability (EPSS)

0.03%

Vulnerability Summary

CVE-2026-34978: OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In versions 2.4.16 and prior, the RSS notifier allows .. path traversal in notify-recipient-uri (e.g., rss:///../job.cache), letting a remote IPP client write RSS XML bytes outside CacheDir/rss (anywhere that is lp-writable). In particular, because CacheDir is group-writable by default (typically root:lp and mode 0770), the notifier (running as lp) can replace root-managed state files via temp-file + rename(). This PoC clobbers CacheDir/job.cache with RSS XML, and after restarting cupsd the scheduler fails to parse the job cache and previously queued jobs disappear. At time of publication, there are no publicly available patches.

Impacted Vendors

easy_software_products 1

openprinting 1

Reference Links

https://github.com/OpenPrinting/cups/security/advisories/GHSA-f53q-7mxp-9gcr

CVSS v3.1

Source Entity [email protected]

Severity MEDIUM

6.5

Attack Vector

NETWORK

Complexity

LOW

Privileges

N/A

Interaction

NONE

Confidentiality

N/A

Integrity

N/A

Availability

N/A

Scope

UNCHANGED

RAW VECTOR CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

Associated Attack Patterns (CAPEC)

Total: Patterns