Description
Unauthenticated functionality in CoolerControl/coolercontrold <4.0.0 allows unauthenticated attackers to view and modify potentially sensitive data via HTTP requests
Published: 2026-04-08
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthenticated Data Access and Modification
Action: Immediate Patch
AI Analysis

Impact

Unauthenticated requests to the coolercontrold service expose a critical API endpoint that allows viewing and modifying potentially sensitive data. The weakness is a missing authentication check for these endpoints, classified as CWE‑306. Attackers who can reach the HTTP interface may read or alter configuration values, logs, or other protected resources, compromising integrity and confidentiality.

Affected Systems

CoolerControl coolercontrold versions earlier than 4.0.0, including all 3.x releases, are affected. The issue exists in the code branch referenced in the advisory, and upgrading to version 4.0.0 eliminates the unauthenticated access.

Risk and Exploitability

The CVSS score of 5.9 indicates moderate severity. The exploitability is high for any host that can access the HTTP API, as no credentials are required. The likely attack vector is remote over the network, inferred from the description that the vulnerability is exposed via HTTP requests. EPSS is not available, and the vulnerability is not listed in the KEV catalog, suggesting no publicly disclosed exploits at this time.

Generated by OpenCVE AI on April 8, 2026 at 13:50 UTC.

Remediation

Vendor Solution

Upgrade to version 4.0.0

OpenCVE Recommended Actions

  • Apply the official upgrade to version 4.0.0 as provided by the vendor.
  • Verify that the upgraded service no longer accepts unauthenticated requests to the critical endpoints.
  • Audit application logs for any unauthorized API activity that may have occurred before the upgrade.

Generated by OpenCVE AI on April 8, 2026 at 13:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 16 Apr 2026 01:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:coolercontrol:coolercontrold:*:*:*:*:*:*:*:*

Thu, 09 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
First Time appeared Coolercontrol
Coolercontrol coolercontrold
Vendors & Products Coolercontrol
Coolercontrol coolercontrold

Wed, 08 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 08 Apr 2026 12:45:00 +0000

Type Values Removed Values Added
Description Unauthenticated functionality in CoolerControl/coolercontrold <4.0.0 allows unauthenticated attackers to view and modify potentially sensitive data via HTTP requests
Title Missing Authentication for Critical Function in coolercontrold
Weaknesses CWE-306
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L'}

Subscriptions

Coolercontrol Coolercontrold
cve-icon MITRE

Status: PUBLISHED

Assigner: GitLab

Published:

Updated: 2026-04-08T14:11:53.589Z

Reserved: 2026-04-01T05:33:17.063Z

Link: CVE-2026-5300

cve-icon Vulnrichment

Updated: 2026-04-08T14:11:43.059Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-08T13:16:43.123

Modified: 2026-04-16T00:58:33.587

Link: CVE-2026-5300

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-09T08:21:51Z

Weaknesses