CVE-2026-5300
Published: 08 April 2026
Summary
CVE-2026-5300 is a medium-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Coolercontrol Coolercontrold. Its CVSS base score is 5.9 (Medium).
Operationally, ranked at the 12.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).
Deeper analysis
CVE-2026-5300 affects the coolercontrold component in CoolerControl versions prior to 4.0.0. The vulnerability stems from unauthenticated functionality that allows attackers to view and modify potentially sensitive data via HTTP requests. Classified under CWE-306 (Missing Authentication for Critical Function), it carries a CVSS v3.1 base score of 5.9 (AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L), indicating medium severity with low impacts across confidentiality, integrity, and availability.
Local attackers can exploit this issue without requiring privileges or user interaction. By sending HTTP requests to the affected service, unauthenticated adversaries gain the ability to read and alter sensitive data, leveraging the low attack complexity and local attack vector specified in the CVSS metrics.
The GitLab repository for CoolerControl provides evidence of the issue in the router.rs source file from version 3.1.1 and indicates mitigation via the 4.0.0 release, which addresses the unauthenticated access in coolercontrold. Security practitioners should upgrade to version 4.0.0 or later to remediate the vulnerability.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-20457
Vulnerability details
Unauthenticated functionality in CoolerControl/coolercontrold <4.0.0 allows unauthenticated attackers to view and modify potentially sensitive data via HTTP requests
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Insufficient information to map techniques.CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly addresses the CVE by identifying, documenting, and restricting unauthenticated access to critical functions in coolercontrold that allow viewing and modifying sensitive data.
Enforces approved authorizations, requiring authentication for HTTP requests to coolercontrold to prevent unauthorized view or modification of sensitive data.
Mandates identification and authentication between coolercontrold service and clients for all HTTP interactions involving sensitive data access.