Cyber Resilience

CVE-2026-5300

Medium

Published: 08 April 2026

Published
08 April 2026
Modified
16 April 2026
KEV Added
Patch
CVSS Score v3.1 5.9 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
EPSS Score 0.0022 12.1th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-5300 is a medium-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Coolercontrol Coolercontrold. Its CVSS base score is 5.9 (Medium).

Operationally, ranked at the 12.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2026-5300 affects the coolercontrold component in CoolerControl versions prior to 4.0.0. The vulnerability stems from unauthenticated functionality that allows attackers to view and modify potentially sensitive data via HTTP requests. Classified under CWE-306 (Missing Authentication for Critical Function), it carries a CVSS v3.1 base score of 5.9 (AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L), indicating medium severity with low impacts across confidentiality, integrity, and availability.

Local attackers can exploit this issue without requiring privileges or user interaction. By sending HTTP requests to the affected service, unauthenticated adversaries gain the ability to read and alter sensitive data, leveraging the low attack complexity and local attack vector specified in the CVSS metrics.

The GitLab repository for CoolerControl provides evidence of the issue in the router.rs source file from version 3.1.1 and indicates mitigation via the 4.0.0 release, which addresses the unauthenticated access in coolercontrold. Security practitioners should upgrade to version 4.0.0 or later to remediate the vulnerability.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Unauthenticated functionality in CoolerControl/coolercontrold <4.0.0 allows unauthenticated attackers to view and modify potentially sensitive data via HTTP requests

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

Insufficient information to map techniques.
Confidence: LOW · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-5302Same product: Coolercontrol Coolercontrold
CVE-2026-5208Same product: Coolercontrol Coolercontrold
CVE-2026-5301Same product: Coolercontrol Coolercontrold
CVE-2026-4810Shared CWE-306
CVE-2025-59695Shared CWE-306
CVE-2025-25224Shared CWE-306
CVE-2023-53968Shared CWE-306
CVE-2026-27843Shared CWE-306
CVE-2025-13030Shared CWE-306
CVE-2026-34731Shared CWE-306

Affected Assets

coolercontrol
coolercontrold
≤ 4.0.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses the CVE by identifying, documenting, and restricting unauthenticated access to critical functions in coolercontrold that allow viewing and modifying sensitive data.

prevent

Enforces approved authorizations, requiring authentication for HTTP requests to coolercontrold to prevent unauthorized view or modification of sensitive data.

prevent

Mandates identification and authentication between coolercontrold service and clients for all HTTP interactions involving sensitive data access.

References