Skip to main content
Mallory
Back to vulnerabilities
Critical

Authentication Bypass in SimpleHelp OIDC Authentication Flow

IdentifiersCVE-2026-48558CWE-347· Improper Verification of…

CVE-2026-48558 is a critical authentication bypass vulnerability affecting SimpleHelp versions 5.5.15 and earlier, as well as 6.0 pre-release versions. The flaw exists in the OpenID Connect (OIDC) authentication flow: when OIDC authentication is configured, SimpleHelp accepts submitted identity tokens during login without verifying their cryptographic signature. Because the token signature is not validated, a remote unauthenticated attacker can forge an identity token containing arbitrary identity claims and have it accepted as authentic. In vulnerable deployments, this allows the attacker to create or assume a fully authenticated technician session. The issue affects deployments using configured OIDC providers, including generic OIDC and Azure Active Directory OIDC, under configurations where technician group authenticated logins are enabled.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows a remote unauthenticated attacker to obtain a fully authenticated SimpleHelp technician session and, in practice, administrative or highly privileged control over the SimpleHelp deployment. A compromised technician account can typically remote into managed endpoints, execute scripts, and access remote support functionality across enterprise systems. In some configurations, the flaw also enables bypass of multi-factor authentication because technician accounts can enroll their own MFA method on first login. The resulting impact includes unauthorized access, lateral movement into managed endpoints, malicious script execution, compromise of remote support infrastructure, and potential loss of confidentiality, integrity, and availability.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, disable or avoid the vulnerable OIDC authentication method where feasible. Restrict external exposure of SimpleHelp servers, especially public internet access, and limit technician authentication to trusted source IPs using Login Security or equivalent network controls. Review Administration -> Technicians for unexpected group-authenticated users, and inspect server logs in the UI or under /opt/SimpleHelp/logs/ for indicators of compromise. More broadly, reduce exposure of public-facing remote support deployments until patched.

Remediation

Patch, then assume compromise.

Upgrade SimpleHelp to a vendor-fixed release and stop using affected versions 5.5.15 and prior and 6.0 pre-release builds. Apply the vendor security update referenced by SimpleHelp's 2026-05 security update and release materials. After patching, review technician accounts for unauthorized group-authenticated users, inspect server logs for suspicious technician registration and configuration-save events, and remove any attacker-created accounts or persistence established through compromised technician access.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
SimpleHelpSimplehelpapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

7 SOURCESView more in app
security online infoNews
Jun 13, 2026
SimpleHelp Authentication Bypass Hits OIDC Setup

A critical authentication bypass vulnerability in SimpleHelp's OIDC single sign-on authentication flow that allows unauthenticated attackers to submit identity tokens without signature verification, forge credentials, bypass MFA, and obtain administrative technician access for remote management of endpoints.

Read more
horizon3 blogNews
Jun 12, 2026
CVE-2026-48558: SimpleHelp Auth Bypass IOCs | Horizon3.ai

An authentication bypass vulnerability in SimpleHelp's OpenID Connect authentication handling that can allow an unauthenticated attacker to create and authenticate as a new Technician user, effectively bypassing MFA and gaining privileged management access.

Read more
cvefeed high severityNews
Jun 12, 2026
CVE-2026-48558 - SimpleHelp Authentication Bypass via Missing OIDC JWT Signature Verification

An authentication bypass vulnerability in SimpleHelp's OIDC authentication flow that allows a remote unauthenticated attacker to forge identity tokens and obtain a fully authenticated technician session, potentially bypassing MFA in some configurations.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity4

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2026-48558
NVD
nvd.nist.gov/vuln/detail/CVE-2026-48558
MITRE CWE · CWE-347
Improper Verification of Cryptographic Signature
horizon3.ai
horizon3.ai/attack-research/disclosures/cve-2026-48558-simplehelp-authentication-bypass-iocs
simple-help.com
simple-help.com/release-news
simple-help.com
simple-help.com/security/simplehelp-security-update-2026-05