CRITICALCVE-2026-3431Published Modified CNA tenable
CVE-2026-3431: Sim Studio AI - MongoDB SSRF and Arbitrary Document Deletion
On SimStudio version below to 0.5.74, the MongoDB tool endpoints accept arbitrary connection parameters from the caller without authentication or host restrictions. An attacker can leverage these endpoints to connect to any reachable MongoDB instance and perform unauthorized operations including reading, modifying, and deleting data.
Metrics
- CVSS v3.1
- 9.8
- Severity
- CRITICAL
- Fixed in
- 0.5.74
- Affected Products
- 1
Fix available
0.5.74
Affected packages
- SimStudioAI / sim< 0.5.74 (from 0)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HReferences