Verified — SimpleHelp OIDC authentication accepts unsigned/forged ID tokens, enabling remote authentication bypass and possible MFA bypass in versions 5.5.15 and earlier and 6.0 prereleases prior to the fixed release.
Severity CRITICAL
Confidence HIGH
Reproduced in 94m 25s
Tool calls 550
Spend $37.97
Affected SimpleHelp 5.5.15 and earlier; 6.0 prerelease versions before 6.0 RC2
Fixed in 5.5.16; 6.0 RC2 / 6.0 prerelease (20260327-150806)
$
pruva-verify REPRO-2026-00222 or
curl -O https://pruva.dev/api/v1/reproductions/REPRO-2026-00222/artifacts/bundle/repro/reproduction_steps.sh && chmod +x reproduction_steps.sh && ./reproduction_steps.sh Run in a VM or disposable container. This exploits a real vulnerability.
SimpleHelp’s OpenID Connect (OIDC) authentication flow fails to verify the cryptographic signature on submitted identity tokens. An unauthenticated remote attacker can forge an ID token with arbitrary claims to obtain a fully authenticated technician session; in some configurations this also bypasses multi‑factor authentication. The issue affects SimpleHelp 5.5.15 and earlier and 6.0 prerelease builds before the fixed release.
Variant analysis
The agent's step-by-step process — every tool call, every handoff, the moment the exploit fired. Phases: support triages the advisory · repro reproduces it · vuln_variant confirms the fix blocks it · judge verifies.
Loading session...
Scripts, logs, diffs, and output captured during the reproduction.
bundle/ticket.md3.2 KBbundle/ticket.json4.2 KBbundle/repro/rca_report.md8.1 KBbundle/logs/vuln_idp.log1.0 KBbundle/logs/patched_idp.log1.0 KBbundle/logs/class_comparison.log1.1 KBbundle/logs/vuln_runtime_tail.log18.2 KBbundle/logs/patched_runtime_tail.log17.8 KBbundle/vuln_variant/patch_analysis.md7.3 KBbundle/vuln_variant/rca_report.md12.9 KBbundle/coding/summary_report.md10.0 KBbundle/coding/verify_logs/fixed_idp.log0.4 KBbundle/coding/src/FixAgent.java3.9 KBbundle/coding/fixagent.jar5.8 KBbundle/repro/reproduction_steps.sh17.4 KBbundle/repro/runtime_manifest.json1.0 KBbundle/repro/validation_verdict.json0.7 KBbundle/logs/reproduction_steps.log5.9 KBbundle/logs/flow_summary.json0.7 KBbundle/logs/vuln_flow.json2.4 KBbundle/logs/patched_flow.json2.3 KBbundle/logs/forged_jwt.txt0.3 KBbundle/vuln_variant/reproduction_steps.sh18.9 KBbundle/vuln_variant/runtime_manifest.json0.9 KBbundle/vuln_variant/validation_verdict.json2.3 KBbundle/vuln_variant/variant_manifest.json3.8 KBbundle/vuln_variant/root_cause_equivalence.json1.4 KBbundle/coding/proposed_fix.diff24.0 KBbundle/coding/verify_fix.sh17.3 KBbundle/coding/verify_logs/verify_result.json0.7 KBbundle/coding/verify_logs/fix_evidence.log0.3 KBbundle/coding/verify_logs/fixed_flow.json1.1 KB