CVE-2026-48558 – SimpleHelp

CVSS 10 CRITICAL Critical or Zero Day – Immediate Deployment

“When identity checks fail, attackers can become trusted users instantly.”

This patch addresses CVE-2026-48558 in SimpleHelp. The vulnerability affects SimpleHelp versions 5.5.15 and earlier, as well as 6.0 pre-release versions. An authentication bypass weakness in the OpenID Connect (OIDC) authentication flow allows identity tokens to be accepted without validating their cryptographic signatures. As a result, a remote, unauthenticated attacker can forge identity claims and obtain a fully authenticated technician session.

CVE-2026-48558 has a CVSS score of 10.0, which is Critical severity. The vulnerability is classified as CWE-347, Improper Verification of Cryptographic Signature. In affected deployments, attackers may gain technician-level access without valid credentials and potentially bypass multi-factor authentication controls. No user interaction is required.

Key Details

Affected Product
Simple-help Simplehelp
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
CWE Classification
CWE-347
Patch this CVE on all your endpoints in under 5 minutes. First 200 endpoints are free forever, scale as needed.