{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5300", "assignerOrgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a", "state": "PUBLISHED", "assignerShortName": "GitLab", "dateReserved": "2026-04-01T05:33:17.063Z", "datePublished": "2026-04-08T12:04:56.421Z", "dateUpdated": "2026-04-08T14:11:53.589Z"}, "containers": {"cna": {"title": "Missing Authentication for Critical Function in coolercontrold", "descriptions": [{"lang": "en", "value": "Unauthenticated functionality in CoolerControl/coolercontrold <4.0.0 allows unauthenticated attackers to view and modify potentially sensitive data via HTTP requests"}], "affected": [{"vendor": "CoolerControl", "product": "coolercontrold", "versions": [{"version": "0.14.0", "status": "affected", "lessThan": "4.0.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-306: Missing Authentication for Critical Function", "cweId": "CWE-306", "type": "CWE"}]}], "references": [{"url": "https://gitlab.com/coolercontrol/coolercontrol/-/blob/3.1.1/coolercontrold/src/api/router.rs?ref_type=tags"}, {"url": "https://gitlab.com/coolercontrol/coolercontrol/-/releases/4.0.0"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW", "baseScore": 5.9, "baseSeverity": "MEDIUM"}}], "solutions": [{"lang": "en", "value": "Upgrade to version 4.0.0"}], "credits": [{"lang": "en", "value": "https://gitlab.com/lassi-3", "type": "finder"}], "providerMetadata": {"orgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a", "shortName": "GitLab", "dateUpdated": "2026-04-08T12:04:56.421Z"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-08T14:11:36.130817Z", "id": "CVE-2026-5300", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T14:11:53.589Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-5300", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-08T14:11:36.130817Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T14:11:43.059Z"}}], "cna": {"title": "Missing Authentication for Critical Function in coolercontrold", "credits": [{"lang": "en", "type": "finder", "value": "https://gitlab.com/lassi-3"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.9, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "CoolerControl", "product": "coolercontrold", "versions": [{"status": "affected", "version": "0.14.0", "lessThan": "4.0.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Upgrade to version 4.0.0"}], "references": [{"url": "https://gitlab.com/coolercontrol/coolercontrol/-/blob/3.1.1/coolercontrold/src/api/router.rs?ref_type=tags"}, {"url": "https://gitlab.com/coolercontrol/coolercontrol/-/releases/4.0.0"}], "descriptions": [{"lang": "en", "value": "Unauthenticated functionality in CoolerControl/coolercontrold <4.0.0 allows unauthenticated attackers to view and modify potentially sensitive data via HTTP requests"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-306", "description": "CWE-306: Missing Authentication for Critical Function"}]}], "providerMetadata": {"orgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a", "shortName": "GitLab", "dateUpdated": "2026-04-08T12:04:56.421Z"}}}, "cveMetadata": {"cveId": "CVE-2026-5300", "state": "PUBLISHED", "dateUpdated": "2026-04-08T14:11:53.589Z", "dateReserved": "2026-04-01T05:33:17.063Z", "assignerOrgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a", "datePublished": "2026-04-08T12:04:56.421Z", "assignerShortName": "GitLab"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:coolercontrol:coolercontrold:*:*:*:*:*:*:*:*", "matchCriteriaId": "058074F8-B65C-4417-A5A1-9746DF8E3B12", "versionEndExcluding": "4.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Unauthenticated functionality in CoolerControl/coolercontrold <4.0.0 allows unauthenticated attackers to view and modify potentially sensitive data via HTTP requests"}], "id": "CVE-2026-5300", "lastModified": "2026-04-16T00:58:33.587", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.5, "impactScore": 3.4, "source": "cve@gitlab.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-04-08T13:16:43.123", "references": [{"source": "cve@gitlab.com", "tags": ["Product"], "url": "https://gitlab.com/coolercontrol/coolercontrol/-/blob/3.1.1/coolercontrold/src/api/router.rs?ref_type=tags"}, {"source": "cve@gitlab.com", "tags": ["Release Notes"], "url": "https://gitlab.com/coolercontrol/coolercontrol/-/releases/4.0.0"}], "sourceIdentifier": "cve@gitlab.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-306"}], "source": "cve@gitlab.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0.14.0,4.0.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "product": "coolercontrold", "vendor": "coolercontrol"}], "analysis": {"en": {"generated_at": "2026-04-08T13:50:42.873096+00:00", "value": {"mitigation_remediation": ["Apply the official upgrade to version 4.0.0 as provided by the vendor.", "Verify that the upgraded service no longer accepts unauthenticated requests to the critical endpoints.", "Audit application logs for any unauthorized API activity that may have occurred before the upgrade."], "summary": {"action": "Immediate Patch", "impact": "Unauthenticated Data Access and Modification"}, "threat_synthesis": {"affected_systems": "CoolerControl coolercontrold versions earlier than 4.0.0, including all 3.x releases, are affected. The issue exists in the code branch referenced in the advisory, and upgrading to version 4.0.0 eliminates the unauthenticated access.", "description_and_impact": "Unauthenticated requests to the coolercontrold service expose a critical API endpoint that allows viewing and modifying potentially sensitive data. The weakness is a missing authentication check for these endpoints, classified as CWE\u2011306. Attackers who can reach the HTTP interface may read or alter configuration values, logs, or other protected resources, compromising integrity and confidentiality.", "risk_and_exploitability": "The CVSS score of 5.9 indicates moderate severity. The exploitability is high for any host that can access the HTTP API, as no credentials are required. The likely attack vector is remote over the network, inferred from the description that the vulnerability is exposed via HTTP requests. EPSS is not available, and the vulnerability is not listed in the KEV catalog, suggesting no publicly disclosed exploits at this time."}}}}, "created": "2026-04-08T19:39:42.303283+00:00", "updated": "2026-04-09T08:21:51.958220+00:00", "vendors": ["coolercontrol", "coolercontrol$PRODUCT$coolercontrold"]}