HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-48558Published Modified CNA VulnCheck

CVE-2026-48558: SimpleHelp Authentication Bypass via Missing OIDC JWT Signature Verification

SimpleHelp versions 5.5.15 and prior and 6.0 pre-release versions contain an authentication bypass vulnerability in the OIDC authentication flow. When OIDC authentication is configured, identity tokens submitted during login are accepted without verifying their cryptographic signature. In a vulnerable configuration, a remote, unauthenticated attacker can submit a forged token containing arbitrary identity claims to obtain a fully authenticated technician session. In some configurations, this may also allow bypass of multi-factor authentication. No user interaction is required.

Metrics

CVSS v4.0
9.5
Severity
CRITICAL
Fixed in
5.5.16
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

Authentication bypass in SimpleHelp (versions 5.5.0 through 5.5.15 and 6.0 pre-release builds) stems from the OIDC login flow accepting identity tokens without verifying their cryptographic signature. A remote, unauthenticated attacker can reach the login endpoint over the network, submit a forged token with arbitrary identity claims, and obtain a fully authenticated technician session, potentially bypassing multi-factor authentication in some configurations. Successful exploitation gives the attacker complete control over the SimpleHelp technician interface, enabling data access, configuration changes, and disruption of remote-support sessions. A patched-image rebuild at versions 5.5.16 and 6.0 RC2 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-48558 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all container images in customer registries and CI pipelines, including custom-built images that bundle SimpleHelp. Any image carrying an affected SimpleHelp version (5.5.0-5.5.15 or a 6.0 pre-release build prior to RC2) is flagged automatically.

Available
Triage

HarborGuard scores this CVE at CVSS 9.5 (Critical, CVSS v4.0) and applies per-environment compliance policy weighting to determine urgency before routing findings to the appropriate team inbox within each customer organization. Environments where OIDC authentication is enabled on the SimpleHelp deployment are surfaced with elevated priority given the zero-authentication prerequisite for exploitation.

Available
Patch

A patched-image rebuild at SimpleHelp 5.5.16 or 6.0 RC2 becomes available through HarborGuard as soon as the upstream fix is confirmed. For customers with auto-remediation enabled, HarborGuard triggers a rebuild, runs a regression test suite against the new image, and opens a pull request against affected workloads; for Critical-severity issues the median time from CVE publication to a merged patch PR is around 90 minutes in environments with auto-remediation enabled.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the SimpleHelp login endpoint over the network; no prior foothold on the host is needed.

  • AuthenticationNot required

    No account or credentials of any kind are required; the forged OIDC token replaces the need for any legitimate credential.

  • Victim interactionNot required

    The attack is fully server-side; no user needs to click a link, open a file, or take any other action.

  • Attack complexityDetail

    Base exploit mechanics are reliable and condition-free, though the CVSS AT:P token indicates a specific prerequisite configuration (OIDC authentication must be enabled on the SimpleHelp instance) must be present for the vulnerability to be reachable.

Blast Radius

  • Attacker obtains a fully authenticated technician session, gaining the same access level as a legitimate SimpleHelp technician including ability to initiate and control remote-support connections to managed endpoints.
  • Attacker reads session data, stored credentials, and endpoint configuration held within the SimpleHelp server.
  • Attacker modifies technician accounts, access-control settings, and remote-support policies, persisting unauthorized access beyond the initial session.
  • In configurations with MFA enforced, the bypass also nullifies that second authentication factor, removing that compensating control entirely.

How HarborGuard Handles This

Available on HarborGuard: detection fires within minutes of ingestion for any image containing SimpleHelp 5.5.0-5.5.15 or an affected 6.0 pre-release, matching across registries and pipeline stages including custom-built images. A patched rebuild at 5.5.16 or 6.0 RC2 is available on HarborGuard; for customers with auto-remediation enabled, the platform rebuilds the image, runs regression tests, and opens a PR against affected workloads, targeting a median time of around 90 minutes from publication to merged patch PR for Critical-severity issues. For environments where an immediate upgrade is blocked by change-control requirements, consider placing SimpleHelp behind a network policy that restricts OIDC login endpoint exposure to trusted source CIDRs only, and verify that OIDC is not enabled unnecessarily. HarborGuard re-evaluates the advisory on every ingest cycle, so any revision to affected version ranges or fix availability is reflected in scan results without manual intervention.

See how HarborGuard automates this

Fix available

5.5.166.0 RC2
Affected packages
  • SimpleHelp / SimpleHelp
    < 5.5.16 (from 5.5.0) · < 6.0 RC2 (from 6.0)
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
References