LeakyCreds
NewInstant webhook alerts now available ā€” notified within seconds of any credential detection.Learn more ā†’
Home / Vulnerability Intelligence / CVE-2026-3431

CVE-2026-3431 - Vulnerability Analysis

CriticalCVSS: 9.8

Last Updated: March 2, 2026

SimStudio - Broken Access Control

Published: March 2, 2026Updated: March 2, 2026Remote Exploitable

Overview

SimStudio < 0.5.74 contains a broken access control vulnerability caused by unauthenticated MongoDB tool endpoints accepting arbitrary connection parameters, letting attackers perform unauthorized operations on reachable MongoDB instances, exploit requires network access.

Severity & Score

Severity: Critical
CVSS Score: 9.8
EPSS Score: 6.7%(Probability of exploitation in next 30 days)

Impact

Attackers can read, modify, and delete data on any reachable MongoDB instance without authentication.

Mitigation

Update to version 0.5.74 or later.

References

Social Media Activity(2 posts)

AA
AA
@AAKL
Mar 2, 2026

New. Tenable has added three vulnerabilities to its threat advisories: - Critical: CVE-2026-3432: Sim Studio AI - Unauthenticated OAuth Token Theft https://www.tenable.com/security/research/tra-2026-13 - Critical: CVE-2026-3431: Sim Studio AI - MongoDB SSRF and Arbitrary Document Deletion https://www.tenable.com/security/research/tra-2026-12 - Medium: CVE-2026-27167: Gradio - Mocked OAuth Login Exposes Server Credentials and Uses Hardcoded Session Secret https://www.tenable.com/security/research/tra-2026-11 @tenable #vulnerability #infosec

View original post
TheHackerWire
TheHackerWire
@thehackerwire
Mar 2, 2026

šŸ”“ CVE-2026-3431 - Critical (9.8) On SimStudio version below to 0.5.74, the MongoDB tool endpoints accept arbitrary connection parameters from the caller without authentication or host restrictions. An attacker can leverage these endpoints to connect to any reachable MongoDB insta... šŸ”— https://www.thehackerwire.com/vulnerability/CVE-2026-3431/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID
CVE-2026-3431
Severity
Critical
CVSS Score
9.8
Type
broken_access_control
Status
unconfirmed
EPSS
6.7%
Social Posts
2

CWE

  • CWE-862

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score

6.7%Probability of exploitation in the next 30 days