{
  "variant_id": "CVE-2026-48558-azure-direct-id-token-no-fixed-bypass",
  "created_at": "2026-07-03T00:00:00Z",
  "variant_summary": "Azure/Entra OIDC direct form_post id_token callback is an alternate vulnerable-version trigger for the same SimpleHelp ID-token signature-verification bug, but patched 5.5.16 rejects it; no fixed-version bypass was confirmed.",
  "relation": "newer_version_sibling",
  "origin_kind": "pruva_variant",
  "repository": "SimpleHelp commercial server binary distribution",
  "submitted_target": {
    "target_kind": "commercial_binary_release",
    "version": "5.5.15",
    "display": "SimpleHelp 5.5.15 Linux server build 20260326-092709, SHA256 26cd904ebf78ac4b2c5b99f6a9659a562390777dc8fe730469e2ecfc8ad139ab"
  },
  "variant_target": {
    "target_kind": "commercial_binary_release",
    "version": "5.5.16",
    "display": "SimpleHelp 5.5.16 Linux server build 20260526-203544, SHA256 9360af980277e1ef4330eb1ed08d981c9dfdcc4e25d87ed0552a47f5ebd5161a (fixed negative-control target)"
  },
  "same_root_cause_confidence": "high",
  "same_surface_confidence": "high",
  "claimed_surface": "api_remote",
  "validated_surface": "api_remote",
  "required_entrypoint_kind": "https_api_oidc_callback",
  "required_entrypoint_detail": "GET /auth/v1/account/oidc_get for oidc_azure provider followed by POST /oidc with form fields id_token and state",
  "attacker_controlled_input": "forged Azure/Entra OIDC id_token with alg:none, bogus signature, nonce copied from server-issued authorization URL, and attacker-controlled technician claims",
  "trigger_path": "login_options -> oidc_get generates response_type=id_token response_mode=form_post URL -> attacker posts forged id_token to /oidc -> ProxyServerAuthentication group-authenticates technician on vulnerable build",
  "observed_impact_class": "authz_bypass_on_vulnerable_only",
  "exploitability_confidence": "high_on_5_5_15_none_observed_on_5_5_16",
  "evidence_scope": "production_path",
  "runtime_manifest_present": true,
  "end_to_end_target_reached": true,
  "inferred": false,
  "claim_block_reason": "No fixed-version bypass: patched 5.5.16 returns Login Failed and /auth/v1/account/status remains UNAUTHENTICATED for the same forged Azure/Entra direct id_token callback.",
  "blocking_mitigation": "5.5.16 adds IDTokenVerifier/JWKS validation on the OIDC callback paths tested.",
  "file_path": "com/aem/shelp/proxy/config/authentication/AzureAuthenticationProvider.class",
  "line_start": null,
  "line_end": null,
  "secondary_anchors": [
    {
      "file_path": "com/aem/shelp/proxy/wds/OIDCCallbackManager.class",
      "line_start": null
    },
    {
      "file_path": "com/aem/shelp/proxy/authentication/oidc/OIDCAuthenticator.class",
      "line_start": null
    },
    {
      "file_path": "utils/oauth/oidc/IDTokenVerifier.class",
      "line_start": null
    },
    {
      "file_path": "com/aem/shelp/proxy/ProxyServerAuthentication.class",
      "line_start": null
    }
  ],
  "review_scope_paths": [
    "com/aem/shelp/proxy/config/authentication/AzureAuthenticationProvider.class",
    "com/aem/shelp/proxy/config/authentication/OIDCAuthenticationProvider.class",
    "com/aem/shelp/proxy/wds/OIDCCallbackManager.class",
    "com/aem/shelp/proxy/authentication/oidc/OIDCAuthenticator.class",
    "utils/oauth/oidc/IDToken.class",
    "utils/oauth/oidc/IDTokenVerifier.class",
    "com/aem/shelp/proxy/ProxyServerAuthentication.class"
  ],
  "artifact_refs": {
    "variant_manifest": "bundle/vuln_variant/variant_manifest.json",
    "validation_verdict": "bundle/vuln_variant/validation_verdict.json",
    "runtime_manifest": "bundle/vuln_variant/runtime_manifest.json",
    "repro_log": "bundle/logs/vuln_variant/reproduction_steps.log",
    "root_cause_equivalence": "bundle/vuln_variant/root_cause_equivalence.json",
    "reproducer": [
      "bundle/vuln_variant/reproduction_steps.sh"
    ]
  }
}
