Description
CORS misconfiguration in CoolerControl/coolercontrold <4.0.0 allows unauthenticated remote attackers to read data and send commands to the service via malicious websites
Published: 2026-04-08
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Remote data exposure and unauthorized command execution
Action: Apply Patch
AI Analysis

Impact

The vulnerability is a CORS misconfiguration in the coolercontrold service that allows unauthenticated attackers to bypass same‑origin restrictions. This flaw, classified as CWE‑942, enables malicious web pages to read sensitive data returned by the service and to issue commands to it, effectively granting remote control over the device.

Affected Systems

CoolerControl’s coolercontrold component, specifically all releases before version 4.0.0, is affected. The advisory applies to the current 2.0.0 codebase referenced in the source repository.

Risk and Exploitability

The CVSS score of 6.3 indicates a moderate threat level. No EPSS score is available and the issue is not listed in KEV, suggesting limited public exploitation data. The likely attack vector is through a web browser that visits a malicious site, leveraging the permissive cross‑domain policy to interact with the service. Exploitation requires no special privileges or authentication, so the risk to exposed systems is significant.

Generated by OpenCVE AI on April 8, 2026 at 13:21 UTC.

Remediation

Vendor Solution

Upgrade to version 4.0.0

OpenCVE Recommended Actions

  • Upgrade CoolerControl to version 4.0.0

Generated by OpenCVE AI on April 8, 2026 at 13:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 16 Apr 2026 00:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:coolercontrol:coolercontrold:*:*:*:*:*:*:*:*

Thu, 09 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
First Time appeared Coolercontrol
Coolercontrol coolercontrold
Vendors & Products Coolercontrol
Coolercontrol coolercontrold

Wed, 08 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 08 Apr 2026 12:45:00 +0000

Type Values Removed Values Added
Description CORS misconfiguration in CoolerControl/coolercontrold <4.0.0 allows unauthenticated remote attackers to read data and send commands to the service via malicious websites
Title Permissive Cross-domain Policy with Untrusted Domains in coolercontrold
Weaknesses CWE-942
References
Metrics cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L'}

Subscriptions

Coolercontrol Coolercontrold
cve-icon MITRE

Status: PUBLISHED

Assigner: GitLab

Published:

Updated: 2026-04-08T14:10:15.915Z

Reserved: 2026-04-01T05:33:27.052Z

Link: CVE-2026-5302

cve-icon Vulnrichment

Updated: 2026-04-08T14:10:05.238Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-08T13:16:43.403

Modified: 2026-04-16T00:40:11.723

Link: CVE-2026-5302

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-09T08:21:50Z

Weaknesses