CVE-2026-24423CRITICAL 9.8CISA KEVEPSS p99.7%

CVE-2026-24423SmarterTools SmarterMail Missing Authentication for Critical Function Vulnerability

SmarterTools / SmarterMail

Description

SmarterTools SmarterMail contains a missing authentication for critical function vulnerability in the ConnectToHub API method. This could allow the attacker to point the SmarterMail instance to a malicious HTTP server which serves the malicious OS command and could lead to command execution.

Scoring

CVSS 3.19.8 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS87.69% probability of exploitation · percentile 99.7% · 2026-06-17T12:03:21Z
Published2026-01-23
Last modified2026-02-06

CISA KEV entry

Added to KEV: 2026-02-05

Underlying weaknesses· 1

CWE-306

References

  1. https://code-white.com/public-vulnerability-list/#systemadminsettingscontrollerconnecttohub-missing-authentication-in-smartermail
  2. https://www.smartertools.com/smartermail/release-notes/current
  3. https://www.vulncheck.com/advisories/smartertools-smartermail-unauthenticated-rce-via-connecttohub-api
  4. https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-24423

1

TypeTargetConfidenceTier
WeaknessMissing Authentication for Critical Functioncwe-3060%live

(incoming)1

TypeTargetConfidenceTier
KEVEntrySmarterTools SmarterMail Missing Authentication for Critical Function Vulnerabilitykev-cve-2026-244230%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
SmarterTools SmarterMail Authentication Bypass Using an Alternate Path or Channel Vulnerability
CVE
SmarterTools SmarterMail Unrestricted Upload of File with Dangerous Type Vulnerability
CVE
CVE-2026-7807
CVE
CVE-2026-40514
CVE
SimpleHelp Missing Authorization Vulnerability
CVE
CVE-2026-27441
Sourced from NVD + CISA KEV + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.