PaperCut's Windows print client can be tricked into giving a local attacker total control

A tool that pushes printer drivers to Windows desktops is not where most teams look for a way to own a machine. PaperCut's Print Deploy client is exactly that kind of quiet background software, and CVE-2026-6645 turns it into a local route to full control of the host. The fix is Print Deploy version 1.10.4178. The bug is local-only and there are no reports of it being used in attacks, but it converts a mundane misconfiguration into a complete takeover, so it is worth handling this week.

What the flaw actually is

The vulnerable piece is pc-printer-updater.exe, a component that runs with the high privileges Print Deploy needs to manage printers for every user on the box. During an internal check, it starts a helper program by name rather than by full path. Windows then searches its standard list of directories, the system PATH, for the first executable that matches that name. If any directory on that list is one an ordinary user can write to, an attacker places their own program there under the expected filename. The updater finds the planted file first and runs it, handing the attacker code execution at the most powerful account on the system.

PaperCut rates the issue 7.3 on the CVSS 4.0 scale and classifies it as an uncontrolled search path element (CWE-427). It was reported by Alex F. of JET Services and disclosed in PaperCut's June 2026 security bulletin.

Why a local-only bug still deserves attention

"Local attacker" sounds like it needs someone already sitting at the keyboard, and the requirement that they can write to a directory on the system path sounds like a high bar. On a well-built Windows image it is. On real fleets it often is not. Plenty of third-party installers append their own folder to the system path and leave that folder writable by standard users, and some software ships world-writable directories without anyone noticing. Each of those is a low-severity finding on its own. This flaw is the multiplier: give it that quiet misconfiguration and a foothold as any logged-in user, and it pays out full control of the host.

That is the same shape as a recent Windows driver bug that let any user seize the whole machine: the entry point looks harmless until something privileged decides to trust it. Search-order hijacks like this one have been a dependable escalation trick for years, precisely because the writable-directory condition is so common in the wild.

What to do now

Three steps, in order of urgency:

• Update Print Deploy to 1.10.4178 or later. PaperCut is rolling the fix out in stages rather than all at once, so do not assume your clients already have it. Check the installed version and pull the update directly if your endpoints have not received it yet.

• Audit your system path for user-writable directories. On each affected host, list the folders on the system PATH and check their permissions with icacls. Any entry a standard user can write to is an escalation waiting for a trigger, with or without this specific bug.

• Hunt for the abuse pattern. Watch for new executables appearing in path directories, and for pc-printer-updater.exe spawning child processes that are not the expected Windows utilities. An updater that suddenly launches an unsigned binary from a user-writable folder is the signal to chase.

The pattern worth remembering

Calling a program by name instead of by full path is a one-line convenience that quietly hands a security decision to whatever the path happens to contain. Privileged software has to name its dependencies exactly, or it inherits the weakest directory permissions on the machine. The same trust-the-default reflex shows up well beyond search paths, from services that ship with a password baked into their source to drivers that assume only an administrator will ever call them. Print Deploy 1.10.4178 closes this instance. The class of bug is not going anywhere.