{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-3431","assignerOrgId":"5ac1ecc2-367a-4d16-a0b2-35d495ddd0be","state":"PUBLISHED","assignerShortName":"tenable","dateReserved":"2026-03-02T12:35:15.152Z","datePublished":"2026-03-02T13:00:58.829Z","dateUpdated":"2026-03-02T13:33:23.987Z"},"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"sim","repo":"https://github.com/simstudioai/sim","vendor":"SimStudioAI","versions":[{"lessThan":"0.5.74","status":"affected","version":"0","versionType":"custom"}]}],"datePublic":"2026-03-02T12:55:00.000Z","descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"On SimStudio version below to 0.5.74, the MongoDB tool endpoints accept arbitrary connection parameters from the caller without authentication or host restrictions. An attacker can leverage these endpoints to connect to any reachable MongoDB instance and perform unauthorized operations including reading, modifying, and deleting data."}],"value":"On SimStudio version below to 0.5.74, the MongoDB tool endpoints accept arbitrary connection parameters from the caller without authentication or host restrictions. An attacker can leverage these endpoints to connect to any reachable MongoDB instance and perform unauthorized operations including reading, modifying, and deleting data."}],"impacts":[{"capecId":"CAPEC-665","descriptions":[{"lang":"en","value":"CAPEC-665 Exploitation of Thunderbolt Protection Flaws"}]}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":9.8,"baseSeverity":"CRITICAL","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","version":"3.1"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-862","description":"CWE-862 Missing Authorization","lang":"en","type":"CWE"}]}],"providerMetadata":{"orgId":"5ac1ecc2-367a-4d16-a0b2-35d495ddd0be","shortName":"tenable","dateUpdated":"2026-03-02T13:00:58.829Z"},"references":[{"url":"https://www.tenable.com/security/research/tra-2026-12"}],"source":{"discovery":"UNKNOWN"},"title":"Sim Studio AI - MongoDB SSRF and Arbitrary Document Deletion","x_generator":{"engine":"Vulnogram 0.5.0"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2026-03-02T13:33:17.892002Z","id":"CVE-2026-3431","options":[{"Exploitation":"none"},{"Automatable":"yes"},{"Technical Impact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-03-02T13:33:23.987Z"}}]}}