CVE-2026-5300
Unauthenticated Access in CoolerControl <4.0.0 Allows Data Modification
Publication date: 2026-04-08
Last updated on: 2026-04-16
Assigner: GitLab Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| coolercontrol | coolercontrold | to 4.0.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-306 | The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in CoolerControl's coolercontrold versions prior to 4.0.0. It allows unauthenticated attackers to access functionality that should require authentication. Specifically, attackers can view and modify potentially sensitive data by sending crafted HTTP requests to the affected service.
How can this vulnerability impact me? :
The vulnerability can lead to unauthorized disclosure and modification of sensitive data. Because attackers do not need to authenticate, they can potentially manipulate device settings or access confidential information, which may affect system integrity, confidentiality, and availability.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves unauthenticated access to CoolerControl/coolercontrold versions prior to 4.0.0 via HTTP requests that allow viewing and modifying sensitive data.
To detect this vulnerability on your network or system, you can monitor HTTP traffic for requests targeting the coolercontrold service endpoints, especially those that do not require authentication but allow data modification.
Suggested commands include using network monitoring tools like curl or wget to send HTTP requests to the suspected coolercontrold service and observe if sensitive data can be accessed or modified without authentication.
- curl -v http://<target-ip>:<port>/api/endpoint
- wget --spider http://<target-ip>:<port>/api/endpoint
- Use network packet analyzers like tcpdump or Wireshark to capture and inspect HTTP traffic to coolercontrold.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting network access to the coolercontrold service to trusted hosts only, such as by firewall rules or network segmentation.
Additionally, upgrading coolercontrold to version 4.0.0 or later, where the unauthenticated access vulnerability is fixed, is recommended.
If upgrading is not immediately possible, consider disabling or limiting the HTTP API endpoints that allow unauthenticated access.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows unauthenticated attackers to view and modify potentially sensitive data via HTTP requests. Such unauthorized access and modification of sensitive data can lead to non-compliance with data protection regulations like GDPR and HIPAA, which require strict controls to protect personal and sensitive information from unauthorized access.
Specifically, the exposure of sensitive data without authentication undermines confidentiality and integrity requirements mandated by these standards, potentially resulting in legal and regulatory consequences for affected organizations.