CVE-2026-48558

Vulnerability

SimpleHelp versions 5.5.15 and earlier, as well as pre-release versions of 6.0, are vulnerable to an authentication bypass in the OpenID Connect (OIDC) authentication flow [1][2][3]. When OIDC is configured, the server accepts identity tokens submitted during login without verifying their cryptographic signature. This allows a remote, unauthenticated attacker to submit a forged token containing arbitrary identity claims. The vulnerability is present in all servers running these versions with OIDC enabled, and no special configuration is required beyond having OIDC as an authentication method.

Exploitation

An attacker needs only network access to the SimpleHelp server's login endpoint where OIDC is configured [2]. No authentication, user interaction, or prior access is required. The attacker crafts an identity token with desired claims (e.g., technician username, email) and submits it during the OIDC login flow. Because the server does not verify the token's cryptographic signature, the forged token is accepted as valid, allowing the attacker to establish a fully authenticated technician session. In some configurations, this may also bypass multi-factor authentication.

Impact

A successful attack grants the attacker full access to the SimpleHelp server as an authenticated technician. This includes the ability to remotely control managed endpoints, access sensitive data, modify server settings, and potentially escalate privileges further [2][3]. The impact is complete compromise of confidentiality, integrity, and availability of the SimpleHelp system and its managed devices. The vulnerability has a CVSS score of 10.0 (Critical).

Mitigation

SimpleHelp has released version 5.5.16 for users on v5.5.x and version 6.0 RC2 for users on v6.0 pre-release [1][3]. These updates fix the signature verification issue. Users should upgrade immediately. If upgrading is not possible, administrators should disable OIDC authentication as a workaround. The vendor also recommends following their security guide for hardening the server. The vulnerability is not yet listed on the CISA KEV as of publication.