CVE-2026-3431 CRITICAL

CVE-2026-3431: Sim Studio AI - MongoDB SSRF and Arbitrary Document Deletion

Vendor Simstudioai
Product sim
Weakness CWE-862 · Missing authorization
Published March 2, 2026
Last update March 2, 2026

CVSS base score

9.8/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

On SimStudio version below to 0.5.74, the MongoDB tool endpoints accept arbitrary connection parameters from the caller without authentication or host restrictions. An attacker can leverage these endpoints to connect to any reachable MongoDB instance and perform unauthorized operations including reading, modifying, and deleting data.

Key dates

02Disclosure timeline

March 2, 2026 CVE published
March 2, 2026 Record updated

Related vulnerabilities

04Related CVE