CVE-2024-57726 — SimpleHelp SimpleHelp: SimpleHelp Missing Authorization Vulnerability
CVE-2024-57726 — SimpleHelp contains a missing authorization vulnerability that could allow low-privileged technicians to create API keys with excessive permissions. These API keys can be used to escalate privileges to the server admin role.
What This Means For You
- CISA has confirmed active exploitation — immediate patching required.
- Added to CISA KEV catalog — federal agencies must remediate by 2026-05-08.
Related ATT&CK Techniques
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2024-57726 | Privilege Escalation | SimpleHelp versions 5.5.7 and earlier |
| CVE-2024-57726 | Auth Bypass | Missing authorization vulnerability allowing low-privileged technicians to create API keys with excessive permissions |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | CISA |
| Channel | CISA KEV |
| Channel ID | cisa-kev |
| Message ID | 202457726 |
| Published | April 24, 2026 at 15:00 UTC |
| Original Link | https://simple-help.com/kb---security-vulnerabilities-01-... |
This content was curated and summarized by Shimi's Cyber World for informational purposes. It is not copied or republished in full. All intellectual property rights remain with the original author and source.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CVE-2026-42171: NSIS Privilege Escalation Vulnerability
CVE-2026-42171 — NSIS (Nullsoft Scriptable Install System) 3.06.1 before 3.12 sometimes uses the Low IL temp directory when executing as SYSTEM, allowing local attackers to...
CVE-2026-41481 — Server-Side Request Forgery
CVE-2026-41481 — LangChain is a framework for building agents and LLM-powered applications. Prior to langchain-text-splitters 1.1.2, HTMLHeaderTextSplitter.split_text_from_url() validated the initial URL using validate_safe_url() but then...
Saltcorn SQL Injection (CVE-2026-41478) Exposes Sensitive Data
CVE-2026-41478 — Saltcorn is an extensible, open source, no-code database application builder. Prior to 1.4.6, 1.5.6, and 1.6.0-beta.5, a SQL injection vulnerability in Saltcorn’s mobile-sync...