CVE-2026-5302 Overview
CVE-2026-5302 is a Cross-Origin Resource Sharing (CORS) misconfiguration vulnerability affecting CoolerControl/coolercontrold versions prior to 4.0.0. This vulnerability allows unauthenticated remote attackers to read sensitive data and send commands to the coolercontrold service through malicious websites. When a user visits a malicious website while running a vulnerable version of coolercontrold, the attacker can interact with the local service API, potentially gaining unauthorized control over system cooling hardware.
Critical Impact
Unauthenticated attackers can exploit this CORS misconfiguration to read data and issue commands to the coolercontrold service when users visit malicious websites, potentially allowing unauthorized control of system cooling hardware.
Affected Products
- CoolerControl/coolercontrold versions prior to 4.0.0
Discovery Timeline
- 2026-04-08 - CVE CVE-2026-5302 published to NVD
- 2026-04-08 - Last updated in NVD database
Technical Details for CVE-2026-5302
Vulnerability Analysis
This vulnerability falls under CWE-942 (Permissive Cross-domain Policy with Untrusted Domains), which occurs when an application implements a CORS policy that permits requests from arbitrary external domains. In the case of coolercontrold, the API service does not properly restrict which origins can make cross-origin requests, allowing any website to interact with the locally running daemon.
When coolercontrold is running on a user's system, it exposes an API that controls cooling hardware (fans, pumps, etc.). With the permissive CORS configuration, a malicious website can make JavaScript requests to the local coolercontrold API endpoint. This enables attackers to read system cooling data and potentially issue commands to modify fan speeds, cooling profiles, or other hardware settings.
Root Cause
The root cause of this vulnerability is an improperly configured CORS policy in the coolercontrold API module. The vulnerable code can be found in the api/mod.rs file, where the CORS headers are configured without adequate origin restrictions. This permissive configuration allows any external origin to make authenticated requests to the API, bypassing the same-origin policy protections that normally prevent such cross-domain interactions.
Attack Vector
The attack requires user interaction—specifically, the victim must visit a malicious website while the vulnerable coolercontrold service is running locally. The attack flow is as follows:
- An attacker crafts a malicious webpage containing JavaScript that targets the coolercontrold API endpoints
- The victim visits the malicious website while coolercontrold is running on their system
- The malicious JavaScript makes cross-origin requests to the local coolercontrold service (typically on localhost)
- Due to the permissive CORS policy, the browser allows these requests and the attacker can read responses and send commands
- The attacker gains the ability to read cooling system data and potentially manipulate hardware settings
The vulnerability is exploitable over the network attack vector and requires no prior authentication or privileges. For detailed technical analysis, refer to the GitLab CoolerControl Code Reference for the vulnerable code path.
Detection Methods for CVE-2026-5302
Indicators of Compromise
- Unexpected cross-origin requests to coolercontrold API endpoints from unfamiliar domains
- Unusual API access patterns in coolercontrold logs indicating external origin requests
- Configuration changes to cooling profiles that were not initiated by the user
Detection Strategies
- Monitor network traffic for cross-origin requests targeting the coolercontrold API from external domains
- Implement browser-based monitoring to detect JavaScript attempting to access local service endpoints
- Review coolercontrold service logs for requests containing suspicious or unexpected Origin headers
Monitoring Recommendations
- Enable verbose logging in coolercontrold to capture Origin headers for all API requests
- Configure network security tools to alert on connections from web browsers to local daemon services
- Implement endpoint detection solutions to monitor for suspicious cross-origin activity targeting local services
How to Mitigate CVE-2026-5302
Immediate Actions Required
- Upgrade CoolerControl/coolercontrold to version 4.0.0 or later immediately
- Restrict coolercontrold API access to localhost only via firewall rules until patching is possible
- Advise users to avoid browsing untrusted websites while running vulnerable versions of coolercontrold
Patch Information
The vulnerability has been addressed in CoolerControl version 4.0.0. This release implements proper CORS restrictions to prevent unauthorized cross-origin requests to the API. Users should upgrade to this version or later to remediate the vulnerability. For complete release details, see the GitLab CoolerControl Release Notes.
Workarounds
- Configure local firewall rules to restrict access to the coolercontrold API port to trusted local applications only
- If upgrading is not immediately possible, consider temporarily disabling the coolercontrold service when browsing the web
- Use network segmentation to isolate systems running coolercontrold from general web browsing activities
# Configuration example - Restrict coolercontrold API to localhost only using iptables
# Identify the port coolercontrold listens on (commonly 8080 or similar)
# Block external access to the coolercontrold API port
sudo iptables -A INPUT -p tcp --dport 8080 -s 127.0.0.1 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 8080 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
