What is CVE-2026-48558?
SimpleHelp contains an authentication bypass vulnerability in the OIDC authentication flow. When OIDC authentication is configured, identity tokens submitted during login are accepted without verifying their cryptographic signature. In a vulnerable configuration, a remote, unauthenticated attacker can submit a forged token containing arbitrary identity claims to obtain a fully authenticated technician session. In some configurations, this may also allow bypass of multi-factor authentication.
Timeline
- 2026-06-29Added to the CISA Known Exploited Vulnerabilities (KEV) catalog
- 2026-06-30First covered in a defend.network daily briefing
- 2026-07-02CISA federal remediation deadline (BOD 22-01)
CISA Known Exploited Vulnerability
SimpleHelp Authentication Bypass Vulnerability
Affected product
SimpleHelp
Remediation Steps
- Apply the vendor patch for SimpleHelp as issued by the vendor
- Review access logs for evidence of exploitation or credential theft
- Rotate credentials for cloud, development, and administrative accounts
- Monitor systems for installation or execution of Djinn Stealer or similar info-stealers
- Restrict network access to SimpleHelp instances to trusted administrative networks only
References
Referenced in our briefings & reports
Browse all tracked CVEs in the defend.network CVE database →
🤖 This CVE page is generated by defend.network from NVD, CISA KEV, EPSS, and our verified daily briefings. Severity and exploitation data come from official sources; always verify remediation steps against the official vendor advisory before acting in production.