# CVE-2026-48558

## Summary

SimpleHelp OIDC authentication accepts unsigned/forged ID tokens, enabling remote authentication bypass and possible MFA bypass in versions 5.5.15 and earlier and 6.0 prereleases prior to the fixed release.

## Description

## Summary
SimpleHelp’s OpenID Connect (OIDC) authentication flow fails to verify the cryptographic signature on submitted identity tokens. An unauthenticated remote attacker can forge an ID token with arbitrary claims to obtain a fully authenticated technician session; in some configurations this also bypasses multi‑factor authentication. The issue affects SimpleHelp 5.5.15 and earlier and 6.0 prerelease builds before the fixed release.

## Affected Package
- **Name:** SimpleHelp (server)
- **Ecosystem:** other (commercial remote support application)
- **Vulnerable versions:** 5.5.15 and earlier; 6.0 prerelease versions before 6.0 RC2/6.0 (20260327-150806)
- **Patched versions:** 5.5.16; 6.0 RC2 / 6.0 prerelease (fixed)

## Details
When OIDC authentication is enabled for technician logins, SimpleHelp accepts the submitted ID token without validating its signature. Because the token’s signature is not verified, an attacker can craft a JWT with arbitrary identity claims (e.g., a technician’s email/username) and submit it to the OIDC login flow. The server treats the forged token as valid and creates an authenticated technician session. This bypasses authentication entirely and may also bypass configured MFA.

## Reproduction Steps
> Note: Exact callback endpoints and parameters depend on the specific OIDC configuration. The steps below describe a vendor‑agnostic reproduction based on the advisory details.

1. **Set up a vulnerable server**
   - Install SimpleHelp **5.5.15 or earlier** (or a **6.0 prerelease prior to RC2/6.0**).
2. **Enable OIDC authentication**
   - Configure an OpenID Connect provider for technician logins in SimpleHelp’s authentication settings.
3. **Identify the OIDC callback endpoint**
   - Initiate a technician login and capture the OIDC callback URL used by SimpleHelp (the endpoint that receives the `id_token`).
4. **Forge an ID token**
   - Create a JWT with claims matching an existing technician account (e.g., email/username) and **no valid signature** (or sign with an arbitrary key not trusted by the OIDC provider).
5. **Submit the forged token**
   - Send the forged `id_token` to the SimpleHelp OIDC callback endpoint as the login response.
6. **Observe the result**
   - The server accepts the token and grants a technician session without verifying the signature.

## Indicators of Success
- A technician session is created and authenticated using a forged/unsigned ID token.
- Access to technician console features is granted without valid OIDC authentication.
- (Optional) MFA prompts are bypassed if MFA is configured for OIDC logins.

## Notes
- The issue is listed in CISA’s Known Exploited Vulnerabilities (KEV) catalog.

## References
- https://nvd.nist.gov/vuln/detail/CVE-2026-48558
- https://simple-help.com/security/simplehelp-security-update-2026-05
- https://simple-help.com/release-news
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-48558


## Metadata

- Product: other:SimpleHelp
- Severity: critical
- Status: open
