New at Horizon3.ai

Mythos has collapsed the attack path. | Learn how to prove your defenses now. →

CVE-2026-48558

SimpleHelp OIDC Authentication Bypass Vulnerability

SimpleHelp has released patches for CVE-2026-48558, an authentication bypass vulnerability affecting deployments configured to use OpenID Connect (OIDC) authentication. The issue stems from how SimpleHelp validates identity provider assertions, allowing an unauthenticated attacker to create and authenticate as a new Technician account under certain configurations. Because Technician accounts can remotely access managed endpoints, execute scripts, and perform administrative actions, successful exploitation can lead to significant compromise of a managed environment. Horizon3.ai identified and responsibly disclosed the vulnerability to SimpleHelp.

Technical Details

The vulnerability affects SimpleHelp servers configured to use either generic OIDC or Azure AD OIDC authentication. An attacker can create and authenticate as a new Technician user when the following conditions exist:

  • OIDC is enabled, and at least one OIDC authentication provider is configured on the SimpleHelp server.
  • At least one TechnicianGroup is associated with the OIDC provider.
  • “Allow group authenticated logins” is enabled on the TechnicianGroup.

Successful exploitation allows an attacker to:

  • Create a new Technician account.
  • Bypass technician MFA enrollment requirements by registering their own MFA device during first login.
  • Access managed endpoints through the SimpleHelp platform.
  • Execute scripts and perform privileged technician actions.

According to Horizon3.ai’s research, approximately 14,000 SimpleHelp servers were exposed to the internet at the time of disclosure, with roughly 7.2% of sampled servers configured to use the vulnerable OIDC authentication method.

Stop Guessing, Start Proving

Attack path showing unauthorized Technician account creation through vulnerable SimpleHelp OIDC authentication
Schedule a demo

NodeZero® Proactive Security Platform — Rapid Response

A NodeZero Rapid Response test has been developed to safely validate whether this authentication bypass can be exploited in your environment. The test executes real attack techniques without causing damage, giving teams immediate clarity on exposure.

  • Run the Rapid Response test: Launch from the NodeZero platform to determine whether unauthorized Technician account creation is possible.
  • Patch immediately: Upgrade to a fixed SimpleHelp release and review OIDC authentication configurations.
  • Re-run the test: Confirm the vulnerability is no longer exploitable after remediation.

Indicators of Compromise

Administrators should review all group-authenticated Technician accounts by navigating to:

Administration → Technicians → Gear Icon → Show Group Authenticated Users

Investigate any unfamiliar technician names or email addresses.

Review server logs for evidence of unauthorized technician registration, including entries similar to:

Registering technician login for rapidresponse-4b611bdd@horizon3.ai / (Technicians)

Configuration save requested (Forged Attacker - rapidresponse-4b611bdd@horizon3.ai [(Technicians)] [New Anon])

Relevant log locations:

IndicatorTypeDescription
/opt/SimpleHelp/logs/server.logLog FilePrimary SimpleHelp server log
/opt/SimpleHelp/logs/<YYYYMMDD-HHMMSS>/server.logLog FileHistorical server logs
Registering technician login for ...Log EntryEvidence of technician creation
Configuration save requested ... [New Anon]Log EntryPotential unauthorized technician registration

Affected Versions & Patch

Affected:

  • SimpleHelp deployments configured with OIDC authentication that meet the vulnerable configuration requirements described above.

Patch:

  • Upgrade to the patched versions (SimpleHelp 5.5.16 or SimpleHelp 6.0 RC2) per SimpleHelp’s security update.
  • If patching cannot be performed immediately, restrict Technician authentication to approved source IP addresses per Horizon3.ai researchers’ recommendation:

    Administration → Login Security

Timeline

  • May 21, 2026 — Horizon3.ai discovered the authentication bypass vulnerability and it was assigned CVE-2026-48558.
  • May 21, 2026 — Researchers validated exploitability in real-world customer environments.
  • May 22, 2026 — Vulnerability reported to SimpleHelp.
  • May 22, 2026 to June 1, 2026 — Coordination and analysis of exploitable configurations.
  • May 26, 2026 — SimpleHelp releases patches without specifying CVE 
  • June 9, 2026 — Horizon3.ai observed that SimpleHelp had released patches.
  • June 12, 2026 — Horizon3.ai publishes attack blog: CVE-2026-48558: SimpleHelp Authentication Bypass Indicators of Compromise
  • June 12, 2026 — Rapid Response test added to NodeZero

References 

Read about other CVEs

NodeZero® Platform

Implement a continuous find, fix, and verify loop with NodeZero

The NodeZero® platform empowers your organization to reduce your security risks by autonomously finding exploitable weaknesses in your network, giving you detailed guidance around how to priortize and fix them, and having you immediately verify that your fixes are effective.
Explore NodeZero

Recognized By