CVE-2026-5300 Overview
CVE-2026-5300 is an authentication bypass vulnerability in CoolerControl/coolercontrold versions prior to 4.0.0. The vulnerability allows unauthenticated attackers to view and modify potentially sensitive data via HTTP requests to the coolercontrold daemon. This missing authentication for critical function (CWE-306) enables local attackers to interact with the cooling control API without proper authorization checks.
Critical Impact
Unauthenticated local attackers can view and modify system cooling configurations, potentially leading to hardware damage, data exposure, or system instability through manipulation of fan speeds and thermal management settings.
Affected Products
- CoolerControl/coolercontrold versions prior to 4.0.0
Discovery Timeline
- 2026-04-08 - CVE-2026-5300 published to NVD
- 2026-04-08 - Last updated in NVD database
Technical Details for CVE-2026-5300
Vulnerability Analysis
This vulnerability stems from missing authentication mechanisms in the CoolerControl daemon's HTTP API. CoolerControl is an open-source application for monitoring and controlling cooling devices on Linux systems. The coolercontrold daemon exposes an HTTP API that handles requests for viewing system status and modifying cooling configurations.
In vulnerable versions, the API router implementation in router.rs lacks proper authentication checks before processing incoming requests. This allows any local process or user on the system to interact with the daemon's API endpoints without providing credentials or tokens.
The impact includes unauthorized access to potentially sensitive system information such as hardware configurations, temperature readings, and cooling profiles. More critically, attackers can modify fan speeds, cooling curves, and other thermal management settings, which could lead to system overheating, hardware damage, or performance degradation.
Root Cause
The root cause is the absence of authentication middleware or access control checks in the API router implementation. The router.rs file in versions prior to 4.0.0 processes HTTP requests without validating the identity or authorization level of the requesting client. This missing authentication for critical function (CWE-306) violates the security principle that sensitive operations should require proper authentication.
Attack Vector
The attack vector is local, requiring the attacker to have access to the same machine running the vulnerable coolercontrold service. An attacker can craft HTTP requests to the daemon's listening port to:
- Query current cooling configurations and system status without authorization
- Modify fan profiles, speed curves, and thermal thresholds
- Potentially disable or misconfigure cooling systems leading to hardware damage
The vulnerability does not require user interaction and can be exploited with low attack complexity. Technical details of the vulnerable code can be found in the CoolerControl source code.
Detection Methods for CVE-2026-5300
Indicators of Compromise
- Unexpected HTTP connections to the coolercontrold service port from unauthorized processes
- Unusual modifications to cooling profiles or fan speed configurations
- Log entries showing API requests from unexpected sources or at unusual times
Detection Strategies
- Monitor for processes making HTTP requests to the coolercontrold daemon that are not the official CoolerControl GUI application
- Implement host-based intrusion detection rules to alert on unauthorized access to the coolercontrol API endpoints
- Review system logs for unexpected configuration changes to cooling profiles
Monitoring Recommendations
- Enable verbose logging in coolercontrold to track all API requests and their sources
- Monitor system temperatures and fan speeds for unexpected changes that could indicate unauthorized modifications
- Implement file integrity monitoring on CoolerControl configuration files
How to Mitigate CVE-2026-5300
Immediate Actions Required
- Upgrade CoolerControl/coolercontrold to version 4.0.0 or later immediately
- Review cooling configurations for any unauthorized modifications
- Restrict network access to the coolercontrold service using firewall rules until patching is complete
Patch Information
The vulnerability has been addressed in CoolerControl version 4.0.0. Users should upgrade to this version or later to receive the security fix. Release notes and download information are available from the CoolerControl 4.0.0 Release.
Workarounds
- Implement local firewall rules to restrict access to the coolercontrold HTTP port to only trusted processes
- Run the coolercontrold service with minimal system privileges where possible
- Consider disabling the HTTP API functionality if not required for your use case until the update can be applied
# Configuration example
# Restrict access to coolercontrold port using iptables (temporary workaround)
# Replace PORT with the actual port coolercontrold listens on
sudo iptables -A INPUT -p tcp --dport PORT -j DROP
sudo iptables -A INPUT -p tcp --dport PORT -s 127.0.0.1 -m owner --uid-owner root -j ACCEPT
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
