CVE-2026-48558 – SimpleHelp
“When identity checks fail, attackers can become trusted users instantly.”
This patch addresses CVE-2026-48558 in SimpleHelp. The vulnerability affects SimpleHelp versions 5.5.15 and earlier, as well as 6.0 pre-release versions. An authentication bypass weakness in the OpenID Connect (OIDC) authentication flow allows identity tokens to be accepted without validating their cryptographic signatures. As a result, a remote, unauthenticated attacker can forge identity claims and obtain a fully authenticated technician session.
CVE-2026-48558 has a CVSS score of 10.0, which is Critical severity. The vulnerability is classified as CWE-347, Improper Verification of Cryptographic Signature. In affected deployments, attackers may gain technician-level access without valid credentials and potentially bypass multi-factor authentication controls. No user interaction is required.
Key Details
- Affected Product
- Simple-help Simplehelp
- Attack Vector
- Network
- Attack Complexity
- Low
- Privileges Required
- None
- User Interaction
- None
- CWE Classification
- CWE-347