CVE-2026-27447
MEDIUMOpenPrinting CUPS: Authorization bypass via case-insensitive group-member lookup
Title source: cnaDescription
OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In versions 2.4.16 and prior, CUPS daemon (cupsd) contains an authorization bypass vulnerability due to case-insensitive username comparison during authorization checks. The vulnerability allows an unprivileged user to gain unauthorized access to restricted operations by using a user with a username that differs only in case from an authorized user. At time of publication, there are no publicly available patches.
References (2)
Core 2
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/OpenPrinting/cups/security/advisories/GHSA-v987-m8hp-phj9
X_Refsource_Misc x_refsource_misc
https://github.com/OpenPrinting/cups/commit/88516bf6d9e34cef7a64a704b856b837f70cd220
Scores
CVSS v3
4.8
EPSS
0.0032
EPSS Percentile
23.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-863
Status
published
Products (2)
openprinting/cups
< 2.4.16
OpenPrinting/cups
<= 2.4.16
Published
Apr 03, 2026
Tracked Since
Apr 04, 2026