CVE-2026-5302 describes a CORS misconfiguration vulnerability in CoolerControl's coolercontrold product versions prior to 4.0.0, specifically affecting version 2.0.0. The permissive cross-domain policy allows unauthenticated remote attackers to interact with the service from malicious websites, enabling them to read sensitive data and issue commands. This vulnerability is categorized under CWE-942, which involves permissive cross-domain policies that trust unverified domains. The CVSS v3.1 base score is 6.3 (medium), reflecting network attack vector, low attack complexity, no privileges required, user interaction needed, and impacts on confidentiality, integrity, and availability. No official fix or patch has been documented, and the product is not a cloud service, so remediation depends on vendor updates.

Successful exploitation of this vulnerability can lead to unauthorized disclosure of data and unauthorized command execution on the affected coolercontrold service. Because the vulnerability allows cross-origin requests from untrusted domains, attackers can leverage malicious websites to perform actions as if they were legitimate users, potentially compromising confidentiality, integrity, and availability of the service. However, exploitation requires user interaction (e.g., visiting a malicious website). There are no known exploits in the wild at this time.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no official patch or remediation level is provided, users should monitor CoolerControl's advisories for updates. Until a fix is available, consider restricting or disabling CORS policies on the affected service to limit cross-origin requests to trusted domains only. Avoid visiting untrusted websites while using affected versions. No vendor advisory states that no action is required or that the issue is already mitigated.