What is CVE-2026-3431?

CVE-2026-3431 is a critical-severity vulnerability in Sim, classified under Missing Authorization. CVSS score: 9.8/10. Published 2026-03-02.

How severe is CVE-2026-3431?

Critical severity. CVSS v3 base score is 9.8 out of 10.

Auth bypass in Sim

CVE-2026-3431

On SimStudio version below to 0.5.74, the MongoDB tool endpoints accept arbitrary connection parameters from the caller without authentication or host restrictions. An attacker can leverage these endpoints to connect to any reachable Mongo…

Vulnerability class: Broken Access Control

EPSS: 0.004 (27.1th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 9.8 (Critical). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.

Affected products

Sim
Simstudioai Sim — versions 0

Weakness classification (CWE)

CWE-862 — Missing Authorization

References

vulnreport@tenable.com (Third Party Advisory)

Frequently asked questions

What is CVE-2026-3431?: CVE-2026-3431 is a critical-severity vulnerability in Sim, classified under Missing Authorization. CVSS score: 9.8/10. Published 2026-03-02.
How severe is CVE-2026-3431?: Critical severity. CVSS v3 base score is 9.8 out of 10.