SimpleHelp OIDC auth bypass actively exploited (CVE-2026-48558)
CVE-2026-48558
CVE-2026-48558: SimpleHelp 5.5.15 & 6.0 pre-release OIDC auth bypass grants unauthenticated admin session. Actively exploited. Update to 5.5.16 or later.
Actively exploited in the wild - CVE-2026-48558 is a critical authentication bypass in SimpleHelp versions 5.5.15 and prior and all 6.0 pre-release builds that lets unauthenticated attackers forge OIDC tokens to obtain a fully privileged technician session. Patched in SimpleHelp 5.5.16 - update immediately if you use OIDC authentication.
Overview
CVE-2026-48558 abuses the OIDC (OpenID Connect) authentication flow in SimpleHelp remote support software. When OIDC is enabled, the application accepts identity tokens submitted during login without verifying their cryptographic signature. This means an attacker can craft a fake token containing arbitrary user claims - including role and organization identifiers - and present it to the login endpoint to authenticate as any user, including a technician with full administrative access.
The vulnerability carries a CVSS score of 10.0 (Critical) due to its network-based attack vector, low complexity, no required privileges, and no user interaction. In some deployments where MFA is enforced through the OIDC provider, this bypass also circumvents multi-factor authentication because the forged token is accepted as a valid completed authentication.
Impact
A remote, unauthenticated attacker exploiting CVE-2026-48558 gains:
- A fully authenticated technician session in the SimpleHelp console
- Full remote control over attended and unattended endpoints managed by the server
- Access to session recordings, file transfers, and chat logs
- Ability to deploy arbitrary commands or payloads to connected devices
The EPSS probability score is 0.7%, indicating low widespread exploitation in the next 30 days, but CISA has confirmed active exploitation in the wild, making this a high-priority fix for any organization using SimpleHelp with OIDC.
Remediation
SimpleHelp has released version 5.5.16 which applies proper cryptographic signature verification to all OIDC identity tokens. Users running SimpleHelp 5.5.15 or earlier, or any 6.0 pre-release build, should upgrade to 5.5.16 immediately. If upgrading is not possible in the short term, disable OIDC authentication and fall back to local SimpleHelp accounts as a compensating control. Audit all existing OIDC sessions for signs of unauthorized access.
Security Insight
CVE-2026-48558 is a textbook case of vendors shipping OIDC integration without enforcing the most basic security property of the protocol - token signature verification. This mirrors similar flaws in other remote access tools (e.g., CVE-2023-23397 in Microsoft Teams) where identity assertion trust was assumed rather than validated. For organizations that centralize authentication through OIDC/SSO, this highlights the need to test that token validation is enforced at the application layer, not just assumed from the protocol implementation.
Stay informed with the latest cybersecurity news at security news and review data breach reports at breach reports.
Further Reading
Never miss a critical vulnerability
Get real-time security alerts delivered to your preferred platform.
Related Advisories
OpenClaw before 2026.3.12 contains an authentication bypass vulnerability in Feishu webhook mode when only verificationToken is configured without encryptKey, allowing acceptance of forged events. Una...
ZEBRA is a Zcash node written entirely in Rust. Prior to zebrad version 4.4.0 and prior to zebra-script version 6.0.0, the fix for CVE-2026-41583 introduced a separate issue due to insufficient error ...
Missing JWT signature verification in AWS Ops Wheel allows unauthenticated attackers to forge JWT tokens and gain unintended administrative access to the application, including the ability to read, mo...
A condition in ScreenConnect may allow an actor with access to server-level cryptographic material used for authentication to obtain unauthorized access, including elevated privileges, in certain scen...