EXECUTIVE SUMMARY:
CVE-2026-48558 with a CVSS score of 10.0 is a critical authentication bypass affecting SimpleHelp remote support software when OpenID Connect (OIDC) single sign‑on is configured, impacting all released versions that allow OIDC token handling without signature verification. The flaw resides in the login flow where the server accepts identity tokens submitted by a client without validating the cryptographic signature, enabling an unauthenticated attacker to craft a forged JWT that appears to originate from a trusted identity provider. Exploitation requires only network access to the public‑facing SimpleHelp portal and the ability to submit a malicious token; no prior credentials or multi‑factor authentication are needed. Once the forged token is accepted, the attacker gains a fully privileged technician session, which by default can execute arbitrary scripts, register new devices, and remotely control managed endpoints across the corporate network. The business impact includes complete loss of confidentiality, integrity, and availability of critical systems, potential data exfiltration, ransomware deployment, and regulatory breach penalties. Exploitation is possible only when OIDC is enabled and the server is exposed to the Internet without additional token validation controls.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-48558 with a CVSS score of 10.0 is a critical authentication bypass affecting SimpleHelp remote support software when OpenID Connect (OIDC) single sign‑on is configured, impacting all released versions that allow OIDC token handling without signature verification. The flaw resides in the login flow where the server accepts identity tokens submitted by a client without validating the cryptographic signature, enabling an unauthenticated attacker to craft a forged JWT that appears to originate from a trusted identity provider. Exploitation requires only network access to the public‑facing SimpleHelp portal and the ability to submit a malicious token; no prior credentials or multi‑factor authentication are needed. Once the forged token is accepted, the attacker gains a fully privileged technician session, which by default can execute arbitrary scripts, register new devices, and remotely control managed endpoints across the corporate network. The business impact includes complete loss of confidentiality, integrity, and availability of critical systems, potential data exfiltration, ransomware deployment, and regulatory breach penalties. Exploitation is possible only when OIDC is enabled and the server is exposed to the Internet without additional token validation controls.[emaillocker id="1283"]
RECOMMENDATION:
REFERENCES:
The following reports contain further technical details:
https://securityonline.info/simplehelp-authentication-bypass/