Platform
rust
Component
coolercontrol/coolercontrold
Fixed in
4.0.0
CVE-2026-5302 is a medium-severity vulnerability affecting coolercontrold versions 2.0.0 through 4.0.0. A CORS misconfiguration allows unauthenticated attackers to read data and send commands to the service. This vulnerability arises from improper CORS settings, enabling cross-origin requests without adequate restrictions. The issue is resolved in version 4.0.0.
The primary impact of CVE-2026-5302 is the potential for unauthorized data access and command execution. An attacker can leverage a malicious website to craft cross-origin requests targeting the coolercontrold service. Successful exploitation allows the attacker to read sensitive data managed by coolercontrold, potentially including configuration details, operational status, or other critical information. Furthermore, the ability to send commands opens the door to remote control of the system, enabling actions such as altering settings or disrupting operations. The blast radius extends to any system running an affected version of coolercontrold, making it a widespread concern.
CVE-2026-5302 was publicly disclosed on 2026-04-08. While no public proof-of-concept (PoC) code has been released at the time of writing, the ease of exploitation due to the CORS misconfiguration suggests a medium probability of exploitation (EPSS score likely medium). The vulnerability is not currently listed on the CISA KEV catalog. The potential for widespread exploitation exists given the prevalence of coolercontrold deployments.
Exploit Status
EPSS
0.06% (19% percentile)
CISA SSVC
CVSS Vector
The recommended mitigation for CVE-2026-5302 is to immediately upgrade coolercontrold to version 4.0.0 or later, which contains the fix for the CORS misconfiguration. If upgrading is not immediately feasible, consider implementing temporary workarounds such as configuring a Web Application Firewall (WAF) to block cross-origin requests to the coolercontrold endpoint. Alternatively, you can restrict access to the coolercontrold service by configuring network firewalls to only allow connections from trusted origins. Carefully review and tighten the CORS policy within coolercontrold's configuration to explicitly define allowed origins. After upgrading, confirm the fix by attempting a cross-origin request from a different domain and verifying that it is blocked.
Update to version 4.0.0 or higher to mitigate the permissive CORS configuration vulnerability. This update corrects the misconfiguration that allows remote attackers to read data and send commands via malicious websites.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-5302 is a medium-severity vulnerability in coolercontrold versions 2.0.0–4.0.0 that allows unauthenticated attackers to read data and send commands due to a CORS misconfiguration.
You are affected if you are running coolercontrold versions 2.0.0 through 4.0.0. Upgrade to 4.0.0 to mitigate the risk.
Upgrade coolercontrold to version 4.0.0 or later. As a temporary workaround, configure a WAF or restrict network access to the service.
While no public exploits are currently known, the ease of exploitation suggests a potential for active exploitation.
Refer to the coolercontrold project's official website or GitHub repository for the latest security advisories and updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your Cargo.lock file and we'll tell you instantly if you're affected.