Skip to main content

Suse EUVDEUVD-2026-20457

| CVE-2026-5300 MEDIUM
Missing Authentication for Critical Function (CWE-306)
2026-04-08 GitLab GHSA-8gfg-vxcc-9fj7
5.9
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.9 MEDIUM
AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
SUSE
MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Patch available
Apr 16, 2026 - 05:29 EUVD
4.0.0
EUVD ID Assigned
Apr 08, 2026 - 13:16 euvd
EUVD-2026-20457
Analysis Generated
Apr 08, 2026 - 13:16 vuln.today
CVE Published
Apr 08, 2026 - 12:04 nvd
MEDIUM 5.9

DescriptionCVE.org

Unauthenticated functionality in CoolerControl/coolercontrold <4.0.0 allows unauthenticated attackers to view and modify potentially sensitive data via HTTP requests

AnalysisAI

CoolerControl's coolercontrold daemon versions before 4.0.0 lack proper authentication controls, allowing unauthenticated local attackers to view and modify sensitive system data through unprotected HTTP API endpoints. The vulnerability affects coolercontrold 0.14.0 through 3.x, with CVSS 5.9 reflecting local attack vector and low-complexity exploitation; no public exploit code or active KEV status identified at time of analysis.

Technical ContextAI

CoolerControl's coolercontrold is a system daemon that manages cooling hardware via an HTTP-based REST API. The vulnerability stems from CWE-306 (Missing Authentication Check), where the API router (coolercontrold/src/api/router.rs) implements endpoints without verifying caller identity or authorization. Because the CVSS vector specifies AV:L (local attack vector), the HTTP server likely binds to localhost or a local socket, restricting direct network access but allowing any local process or user to interact with it. The attack surface includes reading system configuration, sensor data, and modifying cooling profiles or hardware settings.

RemediationAI

Upgrade coolercontrold to version 4.0.0 or later immediately. The vendor-released patch is confirmed in version 4.0.0 per the official GitLab release. For users unable to patch immediately, implement local network isolation by restricting access to the coolercontrold HTTP port to trusted processes and users only, and run coolercontrold with minimal necessary privileges to limit the impact of unauthorized modifications to cooling settings. Verify installation via https://gitlab.com/coolercontrol/coolercontrol/-/releases/4.0.0.

Vendor StatusVendor

SUSE

Severity: Medium

Share

EUVD-2026-20457 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy