SimpleHelp OIDC Authentication Bypass (CVE-2026-48558) Lands on CISA's KEV List

"A critical authentication bypass in SimpleHelp's OIDC login flow lets unauthenticated attackers forge identity tokens to seize fully authenticated technician sessions, and CISA confirms it is being actively exploited."

A critical authentication bypass in SimpleHelp's OIDC login flow lets unauthenticated attackers forge identity tokens to seize fully authenticated technician sessions, and CISA confirms it is being actively exploited.

What Is It

CVE-2026-48558 is an authentication bypass vulnerability (CWE-347, Improper Verification of Cryptographic Signature) in SimpleHelp's OIDC authentication flow. When OIDC authentication is configured, identity tokens submitted during login are accepted without verifying their cryptographic signature. A remote, unauthenticated attacker can submit a forged token containing arbitrary identity claims to obtain a fully authenticated technician session. No user interaction is required. In some configurations, this may also allow bypass of multi-factor authentication.

Why It Matters

The flaw carries a CVSS 3.1 base score of 10.0 (CRITICAL), with network attack vector, low complexity, no privileges required, and a changed scope yielding high confidentiality, integrity, and availability impact. CISA's SSVC assessment rates exploitation as active, automatable as yes, and technical impact as total. Because the attack requires no authentication and no user interaction, a vulnerable internet-exposed instance can be taken over by anyone who can reach it.

What's Vulnerable

SimpleHelp versions 5.5.15 and prior (5.5.0 up to but not including 5.5.16) and 6.0 pre-release versions (6.0 up to but not including 6.0 RC2) are affected. Only deployments with OIDC authentication configured are exploitable.

Patch Status

CISA added CVE-2026-48558 to the Known Exploited Vulnerabilities catalog on 2026-06-29, confirming active exploitation, with a required-action due date of 2026-07-02. Required action: apply mitigations per vendor instructions in accordance with CISA's BOD 26-04 guidance and Forensics Triage Requirements; follow applicable BOD 26-04 guidance for cloud services or discontinue use of the product if mitigations are unavailable. Stakeholders must evaluate each asset's internet exposure. Known ransomware campaign use is currently Unknown.

Sources

CISA Known Exploited Vulnerabilities Catalog; https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-48558
NVD, CVE-2026-48558, https://nvd.nist.gov/vuln/detail/CVE-2026-48558
SimpleHelp Security Update 2026-05; https://simple-help.com/security/simplehelp-security-update-2026-05
Horizon3.ai, CVE-2026-48558 SimpleHelp Authentication Bypass IOCs, https://horizon3.ai/attack-research/disclosures/cve-2026-48558-simplehelp-authentication-bypass-iocs/
CISA BOD 26-04; https://www.cisa.gov/news-events/directives/bod-26-04-prioritizing-security-updates-based-risk