GoKawiilA vulnerability in the SimpleHelp remote management software allows unauthenticated attackers to create privileged technician accounts on servers using the OpenID Connect (OIDC) authentication protocol.
The flaw is tracked as CVE-2026-48558 and received a critical severity rating. It impacts SimpleHelp versions 5.5.15 and older, as well as 6.0 pre-release versions.
Researchers at offensive security company Horizon3.ai explain that the issue is caused by how identity assertions received from an OIDC identity provider (IdP) are validated.
When OIDC authentication is enabled, an unauthenticated attacker can create and log in as a new Technician user without needing to go through the multi-factor authentication (MFA) process.
"This Technician, by default, can perform privileged management activities such as remoting into managed endpoints, executing scripts, and more," Horizon3.ai researcher Zach Hanley explains.
SimpleHelp fixed the vulnerability on June 9 by releasing versions 5.5.16 and 6.0RC2 of the product.
Impact scope
CVE-2026-48558 does not impact every SimpleHelp server running a vulnerable version; rather, it affects a subset that relies on the OIDC protocol, whether the generic one or Azure AD OIDC, both of them common in large enterprises.
As the researchers explain, there are several prerequisites for the exploit to work:
OIDC authentication must be enabled
... continue reading