← Back to CVEs
CVE-2026-3431
CRITICAL9.8
Description
On SimStudio version below to 0.5.74, the MongoDB tool endpoints accept arbitrary connection parameters from the caller without authentication or host restrictions. An attacker can leverage these endpoints to connect to any reachable MongoDB instance and perform unauthorized operations including reading, modifying, and deleting data.
CVE Details
CVSS v3.1 Score9.8
SeverityCRITICAL
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack VectorNETWORK
ComplexityLOW
Privileges RequiredNONE
User InteractionNONE
Published3/2/2026
Last Modified3/6/2026
Sourcenvd
Honeypot Sightings0
Affected Products
sim:sim
Weaknesses (CWE)
CWE-862
References
https://www.tenable.com/security/research/tra-2026-12(vulnreport@tenable.com)
IOC Correlations
No correlations recorded
This product uses data from the NVD API but is not endorsed or certified by the NVD.