CVE-2026-5302
Received Received - Intake
CORS Misconfiguration in CoolerControl <4.0.0 Enables Remote Data Access

Publication date: 2026-04-08

Last updated on: 2026-04-16

Assigner: GitLab Inc.

Description
CORS misconfiguration in CoolerControl/coolercontrold <4.0.0 allows unauthenticated remote attackers to read data and send commands to the service via malicious websites
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-08
Last Modified
2026-04-16
Generated
2026-06-16
AI Q&A
2026-04-09
EPSS Evaluated
2026-06-14
NVD
CVE-2026-5302
EUVD
EUVD-2026-20461
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
coolercontrol coolercontrold to 4.0.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-942 The product uses a web-client protection mechanism such as a Content Security Policy (CSP) or cross-domain policy file, but the policy includes untrusted domains with which the web client is allowed to communicate.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability involves a CORS misconfiguration that allows unauthenticated remote attackers to read data and send commands to the service via malicious websites. This could lead to unauthorized access and potential data exposure.

Such unauthorized access and data exposure may impact compliance with standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data against unauthorized access.

However, the provided information does not specify the exact nature of the data involved or how this vulnerability directly affects compliance with these regulations.

Executive Summary

This vulnerability is a Cross-Origin Resource Sharing (CORS) misconfiguration in CoolerControl's coolercontrold service versions below 4.0.0. It allows unauthenticated remote attackers to exploit the service by reading data and sending commands through malicious websites.

Impact Analysis

The vulnerability can lead to unauthorized access where attackers can remotely read sensitive data and send commands to the coolercontrold service without authentication. This could result in unauthorized control over cooling devices, potential disruption of service, and leakage of sensitive information.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-5302. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart