{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5302", "assignerOrgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a", "state": "PUBLISHED", "assignerShortName": "GitLab", "dateReserved": "2026-04-01T05:33:27.052Z", "datePublished": "2026-04-08T12:05:06.430Z", "dateUpdated": "2026-04-08T14:10:15.915Z"}, "containers": {"cna": {"title": "Permissive Cross-domain Policy with Untrusted Domains in coolercontrold", "descriptions": [{"lang": "en", "value": "CORS misconfiguration in CoolerControl/coolercontrold <4.0.0 allows unauthenticated remote attackers to read data and send commands to the service via malicious websites"}], "affected": [{"vendor": "CoolerControl", "product": "coolercontrold", "versions": [{"version": "2.0.0", "status": "affected", "lessThan": "4.0.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-942: Permissive Cross-domain Policy with Untrusted Domains", "cweId": "CWE-942", "type": "CWE"}]}], "references": [{"url": "https://gitlab.com/coolercontrol/coolercontrol/-/blob/2.0.0/coolercontrold/src/api/mod.rs?ref_type=tags#L374"}, {"url": "https://gitlab.com/coolercontrol/coolercontrol/-/releases/4.0.0"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM"}}], "solutions": [{"lang": "en", "value": "Upgrade to version 4.0.0"}], "credits": [{"lang": "en", "value": "https://gitlab.com/lassi-3", "type": "finder"}], "providerMetadata": {"orgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a", "shortName": "GitLab", "dateUpdated": "2026-04-08T12:05:06.430Z"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-08T14:09:53.564536Z", "id": "CVE-2026-5302", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T14:10:15.915Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-5302", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-08T14:09:53.564536Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T14:10:05.238Z"}}], "cna": {"title": "Permissive Cross-domain Policy with Untrusted Domains in coolercontrold", "credits": [{"lang": "en", "type": "finder", "value": "https://gitlab.com/lassi-3"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "CoolerControl", "product": "coolercontrold", "versions": [{"status": "affected", "version": "2.0.0", "lessThan": "4.0.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Upgrade to version 4.0.0"}], "references": [{"url": "https://gitlab.com/coolercontrol/coolercontrol/-/blob/2.0.0/coolercontrold/src/api/mod.rs?ref_type=tags#L374"}, {"url": "https://gitlab.com/coolercontrol/coolercontrol/-/releases/4.0.0"}], "descriptions": [{"lang": "en", "value": "CORS misconfiguration in CoolerControl/coolercontrold <4.0.0 allows unauthenticated remote attackers to read data and send commands to the service via malicious websites"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-942", "description": "CWE-942: Permissive Cross-domain Policy with Untrusted Domains"}]}], "providerMetadata": {"orgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a", "shortName": "GitLab", "dateUpdated": "2026-04-08T12:05:06.430Z"}}}, "cveMetadata": {"cveId": "CVE-2026-5302", "state": "PUBLISHED", "dateUpdated": "2026-04-08T14:10:15.915Z", "dateReserved": "2026-04-01T05:33:27.052Z", "assignerOrgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a", "datePublished": "2026-04-08T12:05:06.430Z", "assignerShortName": "GitLab"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:coolercontrol:coolercontrold:*:*:*:*:*:*:*:*", "matchCriteriaId": "058074F8-B65C-4417-A5A1-9746DF8E3B12", "versionEndExcluding": "4.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "CORS misconfiguration in CoolerControl/coolercontrold <4.0.0 allows unauthenticated remote attackers to read data and send commands to the service via malicious websites"}], "id": "CVE-2026-5302", "lastModified": "2026-04-16T00:40:11.723", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.4, "source": "cve@gitlab.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-04-08T13:16:43.403", "references": [{"source": "cve@gitlab.com", "tags": ["Exploit"], "url": "https://gitlab.com/coolercontrol/coolercontrol/-/blob/2.0.0/coolercontrold/src/api/mod.rs?ref_type=tags#L374"}, {"source": "cve@gitlab.com", "tags": ["Release Notes"], "url": "https://gitlab.com/coolercontrol/coolercontrol/-/releases/4.0.0"}], "sourceIdentifier": "cve@gitlab.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-942"}], "source": "cve@gitlab.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2.0.0,4.0.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "product": "coolercontrold", "vendor": "coolercontrol"}], "analysis": {"en": {"generated_at": "2026-04-08T13:21:13.417695+00:00", "value": {"mitigation_remediation": ["Upgrade CoolerControl to version 4.0.0"], "summary": {"action": "Apply Patch", "impact": "Remote data exposure and unauthorized command execution"}, "threat_synthesis": {"affected_systems": "CoolerControl\u2019s coolercontrold component, specifically all releases before version 4.0.0, is affected. The advisory applies to the current 2.0.0 codebase referenced in the source repository.", "description_and_impact": "The vulnerability is a CORS misconfiguration in the coolercontrold service that allows unauthenticated attackers to bypass same\u2011origin restrictions. This flaw, classified as CWE\u2011942, enables malicious web pages to read sensitive data returned by the service and to issue commands to it, effectively granting remote control over the device.", "risk_and_exploitability": "The CVSS score of 6.3 indicates a moderate threat level. No EPSS score is available and the issue is not listed in KEV, suggesting limited public exploitation data. The likely attack vector is through a web browser that visits a malicious site, leveraging the permissive cross\u2011domain policy to interact with the service. Exploitation requires no special privileges or authentication, so the risk to exposed systems is significant."}}}}, "created": "2026-04-08T19:39:41.204027+00:00", "updated": "2026-04-09T08:21:50.915983+00:00", "vendors": ["coolercontrol", "coolercontrol$PRODUCT$coolercontrold"]}