CVE-2026-34978: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in OpenPrinting cups
CVE-2026-34978 is a path traversal vulnerability in OpenPrinting CUPS versions 2. 4. 16 and earlier. It allows a remote IPP client to write RSS XML data outside the intended CacheDir/rss directory by exploiting the notify-recipient-uri parameter. This can lead to overwriting critical state files such as CacheDir/job. cache, causing the print scheduler to fail parsing job caches and resulting in loss of queued print jobs. No official patch or fix is available at the time of publication.
AI Analysis
Technical Summary
OpenPrinting CUPS (<= 2.4.16) contains a CWE-22 path traversal vulnerability in the RSS notifier component. The notify-recipient-uri parameter can be manipulated with '..' sequences to write arbitrary RSS XML bytes outside the restricted CacheDir/rss directory, specifically to any location writable by the lp user group. Because CacheDir is group-writable (typically root:lp with mode 0770), the notifier process running as lp can overwrite root-managed state files using a temporary file and rename operation. A proof-of-concept demonstrates overwriting CacheDir/job.cache, which causes the scheduler to fail parsing the job cache after a cupsd restart, leading to loss of previously queued jobs. No patches or vendor advisories indicating remediation are currently available.
Potential Impact
This vulnerability allows an unauthenticated remote attacker to perform path traversal and write arbitrary RSS XML data to critical state files within the CUPS CacheDir. The immediate impact is the corruption of the job cache file, causing the print scheduler to fail and queued print jobs to disappear. This results in denial of service for printing operations. There is no indication of confidentiality or integrity compromise beyond the job cache manipulation. No known exploits in the wild have been reported.
Mitigation Recommendations
At the time of this report, no official patches or fixes are available. Users should monitor the OpenPrinting project for updates and advisories. As a temporary mitigation, restricting network access to the IPP service to trusted clients only may reduce exposure. Avoid restarting cupsd until a fix is applied to prevent loss of queued jobs. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance.
CVE-2026-34978: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in OpenPrinting cups
Description
CVE-2026-34978 is a path traversal vulnerability in OpenPrinting CUPS versions 2. 4. 16 and earlier. It allows a remote IPP client to write RSS XML data outside the intended CacheDir/rss directory by exploiting the notify-recipient-uri parameter. This can lead to overwriting critical state files such as CacheDir/job. cache, causing the print scheduler to fail parsing job caches and resulting in loss of queued print jobs. No official patch or fix is available at the time of publication.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
OpenPrinting CUPS (<= 2.4.16) contains a CWE-22 path traversal vulnerability in the RSS notifier component. The notify-recipient-uri parameter can be manipulated with '..' sequences to write arbitrary RSS XML bytes outside the restricted CacheDir/rss directory, specifically to any location writable by the lp user group. Because CacheDir is group-writable (typically root:lp with mode 0770), the notifier process running as lp can overwrite root-managed state files using a temporary file and rename operation. A proof-of-concept demonstrates overwriting CacheDir/job.cache, which causes the scheduler to fail parsing the job cache after a cupsd restart, leading to loss of previously queued jobs. No patches or vendor advisories indicating remediation are currently available.
Potential Impact
This vulnerability allows an unauthenticated remote attacker to perform path traversal and write arbitrary RSS XML data to critical state files within the CUPS CacheDir. The immediate impact is the corruption of the job cache file, causing the print scheduler to fail and queued print jobs to disappear. This results in denial of service for printing operations. There is no indication of confidentiality or integrity compromise beyond the job cache manipulation. No known exploits in the wild have been reported.
Mitigation Recommendations
At the time of this report, no official patches or fixes are available. Users should monitor the OpenPrinting project for updates and advisories. As a temporary mitigation, restricting network access to the IPP service to trusted clients only may reduce exposure. Avoid restarting cupsd until a fix is applied to prevent loss of queued jobs. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-31T19:38:31.617Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69d031770a160ebd925d2010
Added to database: 4/3/2026, 9:30:31 PM
Last enriched: 4/3/2026, 9:45:46 PM
Last updated: 4/3/2026, 10:49:45 PM
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.