Description
Command injection in alerts in CoolerControl/coolercontrold <4.0.0 allows authenticated attackers to execute arbitrary code as root via injected bash commands in alert names
Published: 2026-04-08
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

A command injection vulnerability exists in the alert generation component of CoolerControl’s coolercontrold daemon in all releases older than 4.0.0. The flaw allows an authenticated attacker to embed arbitrary bash commands in alert names, which the service executes with root privileges. This results in remote code execution and full system compromise. The weakness stems from improper sanitization of user input before concatenating it into an OS command, corresponding to a CWE‑78 flaw.

Affected Systems

The affected product is CoolerControl’s coolercontrold daemon. All versions older than 4.0.0 are vulnerable regardless of operating system or deployment configuration. Any environment that allows authenticated users to create or edit alerts is exposed.

Risk and Exploitability

With a CVSS score of 8.2, the vulnerability is considered high severity. The EPSS score is not available, but the requirement of authentication—common in many deployments—implies a non-negligible exploitation probability. The flaw is not listed in the CISA KEV catalog yet; however, the potential for full root compromise warrants immediate action. An attacker who can authenticate to the coolercontrold API can craft an alert name containing malicious shell syntax; when the daemon processes the alert, the embedded command runs as root, enabling arbitrary code execution.

Generated by OpenCVE AI on April 8, 2026 at 12:50 UTC.

Remediation

Vendor Solution

Upgrade to version 4.0.0

OpenCVE Recommended Actions

  • Check the installed version of coolercontrold to determine if it is older than 4.0.0.
  • Upgrade coolercontrold to version 4.0.0 or later as recommended by the vendor.
  • After the upgrade, verify that alert names are no longer executed as shell commands.

Generated by OpenCVE AI on April 8, 2026 at 12:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 16 Apr 2026 01:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:coolercontrol:coolercontrold:*:*:*:*:*:*:*:*

Thu, 09 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
First Time appeared Coolercontrol
Coolercontrol coolercontrold
Vendors & Products Coolercontrol
Coolercontrol coolercontrold

Wed, 08 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 08 Apr 2026 11:45:00 +0000

Type Values Removed Values Added
Description Command injection in alerts in CoolerControl/coolercontrold <4.0.0 allows authenticated attackers to execute arbitrary code as root via injected bash commands in alert names
Title Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in coolercontrold
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Coolercontrol Coolercontrold
cve-icon MITRE

Status: PUBLISHED

Assigner: GitLab

Published:

Updated: 2026-04-08T12:55:51.455Z

Reserved: 2026-03-31T09:35:01.724Z

Link: CVE-2026-5208

cve-icon Vulnrichment

Updated: 2026-04-08T12:55:47.478Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-08T12:16:22.383

Modified: 2026-04-16T01:06:47.997

Link: CVE-2026-5208

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-09T08:21:54Z

Weaknesses