Severity by source
AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Lifecycle Timeline
4DescriptionCVE.org
Unauthenticated functionality in CoolerControl/coolercontrold <4.0.0 allows unauthenticated attackers to view and modify potentially sensitive data via HTTP requests
AnalysisAI
CoolerControl's coolercontrold daemon versions before 4.0.0 lack proper authentication controls, allowing unauthenticated local attackers to view and modify sensitive system data through unprotected HTTP API endpoints. The vulnerability affects coolercontrold 0.14.0 through 3.x, with CVSS 5.9 reflecting local attack vector and low-complexity exploitation; no public exploit code or active KEV status identified at time of analysis.
Technical ContextAI
CoolerControl's coolercontrold is a system daemon that manages cooling hardware via an HTTP-based REST API. The vulnerability stems from CWE-306 (Missing Authentication Check), where the API router (coolercontrold/src/api/router.rs) implements endpoints without verifying caller identity or authorization. Because the CVSS vector specifies AV:L (local attack vector), the HTTP server likely binds to localhost or a local socket, restricting direct network access but allowing any local process or user to interact with it. The attack surface includes reading system configuration, sensor data, and modifying cooling profiles or hardware settings.
RemediationAI
Upgrade coolercontrold to version 4.0.0 or later immediately. The vendor-released patch is confirmed in version 4.0.0 per the official GitLab release. For users unable to patch immediately, implement local network isolation by restricting access to the coolercontrold HTTP port to trusted processes and users only, and run coolercontrold with minimal necessary privileges to limit the impact of unauthorized modifications to cooling settings. Verify installation via https://gitlab.com/coolercontrol/coolercontrol/-/releases/4.0.0.
Same technique Authentication Bypass
View allVendor StatusVendor
SUSE
Severity: MediumShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20457
GHSA-8gfg-vxcc-9fj7