Cyber Posture

CVE-2026-5300

Medium

Published: 08 April 2026

Published
08 April 2026
Modified
16 April 2026
KEV Added
Patch
CVSS Score 5.9 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
EPSS Score 0.0002 6.5th percentile
Risk Priority 12 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-5300 is a medium-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Coolercontrol Coolercontrold. Its CVSS base score is 5.9 (Medium).

Operationally, ranked at the 6.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-14 Permitted Actions Without Identification or Authentication good match
prevent

Directly addresses the CVE by identifying, documenting, and restricting unauthenticated access to critical functions in coolercontrold that allow viewing and modifying sensitive data.

AC-3 Access Enforcement good match
prevent

Enforces approved authorizations, requiring authentication for HTTP requests to coolercontrold to prevent unauthorized view or modification of sensitive data.

IA-9 Service Identification and Authentication good match
prevent

Mandates identification and authentication between coolercontrold service and clients for all HTTP interactions involving sensitive data access.

MITRE ATT&CK Enterprise TechniquesAI

Insufficient information to map techniques.
Confidence: LOW · MITRE ATT&CK Enterprise v18.1

NVD Description

Unauthenticated functionality in CoolerControl/coolercontrold <4.0.0 allows unauthenticated attackers to view and modify potentially sensitive data via HTTP requests

Deeper analysisAI

CVE-2026-5300 affects the coolercontrold component in CoolerControl versions prior to 4.0.0. The vulnerability stems from unauthenticated functionality that allows attackers to view and modify potentially sensitive data via HTTP requests. Classified under CWE-306 (Missing Authentication for Critical Function), it carries a CVSS v3.1 base score of 5.9 (AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L), indicating medium severity with low impacts across confidentiality, integrity, and availability.

Local attackers can exploit this issue without requiring privileges or user interaction. By sending HTTP requests to the affected service, unauthenticated adversaries gain the ability to read and alter sensitive data, leveraging the low attack complexity and local attack vector specified in the CVSS metrics.

The GitLab repository for CoolerControl provides evidence of the issue in the router.rs source file from version 3.1.1 and indicates mitigation via the 4.0.0 release, which addresses the unauthenticated access in coolercontrold. Security practitioners should upgrade to version 4.0.0 or later to remediate the vulnerability.

Details

CWE(s)
CWE-306

Affected Products

coolercontrol
coolercontrold
≤ 4.0.0

CVEs Like This One

CVE-2026-5208Same product: Coolercontrol Coolercontrold
CVE-2026-5301Same product: Coolercontrol Coolercontrold
CVE-2026-5302Same product: Coolercontrol Coolercontrold
CVE-2026-34732Shared CWE-306
CVE-2025-24865Shared CWE-306
CVE-2025-66049Shared CWE-306
CVE-2026-28458Shared CWE-306
CVE-2026-29132Shared CWE-306
CVE-2026-1453Shared CWE-306
CVE-2026-23693Shared CWE-306

References