Skip to content

Choose your language

  • No results

Choose your login

  • No results
Support

How can we help?

PaperCut's AI-generated content is continually improving, but it may still contain errors. Please verify as needed.

Lightbulb icon
Lightbulb icon

Here’s your answer

Sources:

* PaperCut is constantly working to improve the accuracy and quality of our AI-generated content. However, there may still be errors or inaccuracies, we appreciate your understanding and encourage verification when needed.

Lightbulb icon

Oops!

We currently don’t have an answer for this and our teams are working on resolving the issue. If you still need help,
User reading a resource

Popular resources

Help center

FAQs
Conversation bubbles

Contact us

PaperCut NG/MF Security Bulletin (June 2026)

THE PAGE APPLIES TO:

PaperCut NG product logo PaperCut MF product logo PaperCut Pocket product logo PaperCut Hive product logo

Last updated June 22, 2026

Summary

At PaperCut, we are consistently working on improving the security posture of our products. This ongoing commitment involves regular internal audits, proactive “pattern hunting” in our codebase, and collaboration with external security researchers. This process is designed to identify and remediate potential issues before they can be exploited.

PaperCut prioritizes the safety of our customers through a responsible disclosure policy. As part of this approach, you may observe specific CVE identifiers appearing in our product release notes before a formal security bulletin or a CVE database entry is fully published. This “fix-first” strategy allows us to provide immediate protection while delaying the publication of technical details that could be used to develop exploits. Full documentation is published only when we are confident that disclosure no longer poses an immediate risk to our customer base.

This bulletin addresses the following security vulnerability:

  • CVE-2026-6645 (Insecure Search Path): insecure search path vulnerability in the PaperCut Print Deploy Client for Windows that could allow a local attacker to execute arbitrary code.

Recommendation: PaperCut recommends that PaperCut NG/MF customers who are using the Print Deploy functionality verify that the Print Deploy Clients for Windows have been updated to at least version v2699, Print Deploy server version 1.10.4178 (if the auto-update mechanism for the Print Deploy was not disabled) or upgrade the clients explicitly to the latest version (if the auto-update mechanism was disabled).

Security issues addressed

CVENotesCVSS rating and vector
CVE-2026-6645

Insecure Search Path Vulnerability in PaperCut Print Deploy Client

An insecure process execution vulnerability exists in the pc-printer-updater.exe component of the PaperCut Print Deploy Client for Windows. The application, which typically operates with high-level system privileges, attempts to perform an internal validation check by invoking a secondary system utility using an unqualified file reference.

Because the application does not specify an absolute path to this utility, it relies on the operating system's default search order to locate the executable. Under specific conditions, a local attacker with the ability to modify directories within the system's search path could plant a malicious binary that mimics the expected utility.

It should be noted that for this vulnerability to be exploited, the system needs to be severely misconfigured and allow local, non-privileged users on the system to write files into the directories in the system search path.

Vulnerability Type: Uncontrolled Search Path Element (CWE-427).

Impact: This could result in the malicious code being executed with SYSTEM privileges, leading to a full compromise of the affected host.

Fixed in: PaperCut Print Deploy Client v2699 (bundled with Print Deploy server version 1.10.4178)

7.3 (HIGH)

CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Who is impacted

You are likely impacted if you are running PaperCut Print Deploy Client v2699 (bundled with Print Deploy server version 1.10.4178) on Windows-based clients.

Steps to resolve

PaperCut recommends that all customers upgrade to the latest versions of their respective products in line with their standard maintenance and upgrade cycles.

  1. Upgrade Print Deploy Client: For most customers, the Print Deploy client will be automatically updated as long as automatic updates have not been disabled in your environment.
  2. Verify Deployment: If you manage deployments manually, or if automatic updates are disabled, please ensure you download and install PaperCut Print Deploy Client v2699 (bundled with Print Deploy server version 1.10.4178) or later.

FAQs

Q Can i resolve these vulnerabilities without upgrading?

No. These security improvements require code-level changes found only in the latest releases. To resolve this issue, customers must ensure their environment is running PaperCut Print Deploy Client v2699 (bundled with Print Deploy server version 1.10.4178) or later.

Q Was there any evidence of these vulnerabilities being exploited?

No. The vulnerability was reported to PaperCut by a security researcher under the responsible disclosure policy. PaperCut does not possess any knowledge of the vulnerability being exploited and the fixes are not a response to any known exploits. Moreover, the conditions for the successful exploitation would most likely open better opportunities to take over the system and PaperCut’s software would be an unlikely target in that case.

Security notifications

To stay informed about high impact security updates please subscribe to our Security notifications sign-up form.

Updates

Date

Update/action

22 June, 2026 (AEST)

Published the initial Security Bulletin.

22 June, 2026 (AEST)

Clarifying versions of Print Deploy Server vs client.



Category: FAQ

Subcategory: Security and Privacy

Comments