CUPS 2.4.16 Auth Bypass via caseinsensitive username comparison
CVE-2026-27447 Published on April 3, 2026

OpenPrinting CUPS: Authorization bypass via case-insensitive group-member lookup
OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In versions 2.4.16 and prior, CUPS daemon (cupsd) contains an authorization bypass vulnerability due to case-insensitive username comparison during authorization checks. The vulnerability allows an unprivileged user to gain unauthorized access to restricted operations by using a user with a username that differs only in case from an authorized user. At time of publication, there are no publicly available patches.

NVD

Vulnerability Analysis

CVE-2026-27447 can be exploited with network access, requires user interaction and user privileges. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality, with no impact on integrity, and no impact on availability.

Attack Vector:
NETWORK
Attack Complexity:
HIGH
Privileges Required:
HIGH
User Interaction:
REQUIRED
Scope:
UNCHANGED
Confidentiality Impact:
HIGH
Integrity Impact:
LOW
Availability Impact:
NONE

Weakness Type

What is an AuthZ Vulnerability?

The software performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.

CVE-2026-27447 has been classified to as an AuthZ vulnerability or weakness.


Products Associated with CVE-2026-27447

Want to know whenever a new CVE is published for Openprinting Cups? stack.watch will email you.

Openprinting Cups
 

Affected Versions

OpenPrinting cups Version <= 2.4.16 is affected by CVE-2026-27447