प्लेटफ़ॉर्म
rust
घटक
coolercontrol/coolercontrold
में ठीक किया गया
4.0.0
CVE-2026-5302 is a medium-severity vulnerability affecting coolercontrold versions 2.0.0 through 4.0.0. A CORS misconfiguration allows unauthenticated attackers to read data and send commands to the service. This vulnerability arises from improper CORS settings, enabling cross-origin requests without adequate restrictions. The issue is resolved in version 4.0.0.
The primary impact of CVE-2026-5302 is the potential for unauthorized data access and command execution. An attacker can leverage a malicious website to craft cross-origin requests targeting the coolercontrold service. Successful exploitation allows the attacker to read sensitive data managed by coolercontrold, potentially including configuration details, operational status, or other critical information. Furthermore, the ability to send commands opens the door to remote control of the system, enabling actions such as altering settings or disrupting operations. The blast radius extends to any system running an affected version of coolercontrold, making it a widespread concern.
CVE-2026-5302 was publicly disclosed on 2026-04-08. While no public proof-of-concept (PoC) code has been released at the time of writing, the ease of exploitation due to the CORS misconfiguration suggests a medium probability of exploitation (EPSS score likely medium). The vulnerability is not currently listed on the CISA KEV catalog. The potential for widespread exploitation exists given the prevalence of coolercontrold deployments.
Systems running coolercontrold versions 2.0.0 through 4.0.0 are at risk, particularly those exposed to the internet or accessible from untrusted networks. Shared hosting environments where coolercontrold is deployed alongside other applications are also at increased risk, as a compromised application could be used to exploit this vulnerability.
• rust / server:
curl -v -X GET 'http://<coolercontrold_ip>/api/data' -H 'Origin: http://attacker.com'If the response headers include Access-Control-Allow-Origin: * or Access-Control-Allow-Origin: http://attacker.com, the vulnerability is likely present.
• generic web:
curl -I http://<coolercontrold_ip>/api/data -H 'Origin: http://attacker.com'Inspect the response headers for Access-Control-Allow-Origin.
disclosure
एक्सप्लॉइट स्थिति
EPSS
0.06% (19% शतमक)
CISA SSVC
CVSS वेक्टर
The recommended mitigation for CVE-2026-5302 is to immediately upgrade coolercontrold to version 4.0.0 or later, which contains the fix for the CORS misconfiguration. If upgrading is not immediately feasible, consider implementing temporary workarounds such as configuring a Web Application Firewall (WAF) to block cross-origin requests to the coolercontrold endpoint. Alternatively, you can restrict access to the coolercontrold service by configuring network firewalls to only allow connections from trusted origins. Carefully review and tighten the CORS policy within coolercontrold's configuration to explicitly define allowed origins. After upgrading, confirm the fix by attempting a cross-origin request from a different domain and verifying that it is blocked.
Actualice a la versión 4.0.0 o superior para mitigar la vulnerabilidad de configuración CORS permisiva. Esta actualización corrige la configuración incorrecta que permite a atacantes remotos leer datos y enviar comandos a través de sitios web maliciosos.
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
CVE-2026-5302 is a medium-severity vulnerability in coolercontrold versions 2.0.0–4.0.0 that allows unauthenticated attackers to read data and send commands due to a CORS misconfiguration.
You are affected if you are running coolercontrold versions 2.0.0 through 4.0.0. Upgrade to 4.0.0 to mitigate the risk.
Upgrade coolercontrold to version 4.0.0 or later. As a temporary workaround, configure a WAF or restrict network access to the service.
While no public exploits are currently known, the ease of exploitation suggests a potential for active exploitation.
Refer to the coolercontrold project's official website or GitHub repository for the latest security advisories and updates.
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।
अपनी Cargo.lock फ़ाइल अपलोड करें और तुरंत जानें कि आप प्रभावित हैं या नहीं।