CVE-2026-5300
Received Received - Intake
Unauthenticated Access in CoolerControl <4.0.0 Allows Data Modification

Publication date: 2026-04-08

Last updated on: 2026-04-16

Assigner: GitLab Inc.

Description
Unauthenticated functionality in CoolerControl/coolercontrold <4.0.0 allows unauthenticated attackers to view and modify potentially sensitive data via HTTP requests
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-08
Last Modified
2026-04-16
Generated
2026-06-16
AI Q&A
2026-04-08
EPSS Evaluated
2026-06-15
NVD
CVE-2026-5300
EUVD
EUVD-2026-20457
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
coolercontrol coolercontrold to 4.0.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-306 The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in CoolerControl's coolercontrold versions prior to 4.0.0. It allows unauthenticated attackers to access functionality that should require authentication. Specifically, attackers can view and modify potentially sensitive data by sending crafted HTTP requests to the affected service.

Impact Analysis

The vulnerability can lead to unauthorized disclosure and modification of sensitive data. Because attackers do not need to authenticate, they can potentially manipulate device settings or access confidential information, which may affect system integrity, confidentiality, and availability.

Detection Guidance

This vulnerability involves unauthenticated access to CoolerControl/coolercontrold versions prior to 4.0.0 via HTTP requests that allow viewing and modifying sensitive data.

To detect this vulnerability on your network or system, you can monitor HTTP traffic for requests targeting the coolercontrold service endpoints, especially those that do not require authentication but allow data modification.

Suggested commands include using network monitoring tools like curl or wget to send HTTP requests to the suspected coolercontrold service and observe if sensitive data can be accessed or modified without authentication.

  • curl -v http://<target-ip>:<port>/api/endpoint
  • wget --spider http://<target-ip>:<port>/api/endpoint
  • Use network packet analyzers like tcpdump or Wireshark to capture and inspect HTTP traffic to coolercontrold.
Mitigation Strategies

Immediate mitigation steps include restricting network access to the coolercontrold service to trusted hosts only, such as by firewall rules or network segmentation.

Additionally, upgrading coolercontrold to version 4.0.0 or later, where the unauthenticated access vulnerability is fixed, is recommended.

If upgrading is not immediately possible, consider disabling or limiting the HTTP API endpoints that allow unauthenticated access.

Compliance Impact

This vulnerability allows unauthenticated attackers to view and modify potentially sensitive data via HTTP requests. Such unauthorized access and modification of sensitive data can lead to non-compliance with data protection regulations like GDPR and HIPAA, which require strict controls to protect personal and sensitive information from unauthorized access.

Specifically, the exposure of sensitive data without authentication undermines confidentiality and integrity requirements mandated by these standards, potentially resulting in legal and regulatory consequences for affected organizations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-5300. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart