CVE-2026-27447

EUVD-2026-18863

03.04.2026, 22:16

OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In versions 2.4.16 and prior, CUPS daemon (cupsd) contains an authorization bypass vulnerability due to case-insensitive username comparison during authorization checks. The vulnerability allows an unprivileged user to gain unauthorized access to restricted operations by using a user with a username that differs only in case from an authorized user. At time of publication, there are no publicly available patches.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	4.8 MEDIUM	NETWORK	HIGH	HIGH	CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:L/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: 2%

Affected Products (NVD)

Vendor	Product	Version
openprinting	cups	𝑥 ≤ 2.4.16

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

cups

bookworm	no-dsa
bookworm (security)	vulnerable
bullseye	vulnerable
bullseye (security)	vulnerable
forky	2.4.18-1 fixed
sid	2.4.18-1 fixed
trixie	no-dsa
trixie (security)	vulnerable

Known Exploits!

https://github.com/OpenPrinting/cups/security/advisories/GHSA-v987-m8hp-phj9

Common Weakness Enumeration

CWE-863 - Incorrect Authorization
The software performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.

References

https://github.com/OpenPrinting/cups/commit/88516bf6d9e34cef7a64a704b856b837f70cd220

https://github.com/OpenPrinting/cups/security/advisories/GHSA-v987-m8hp-phj9