CVE-2026-3431
- Source
- https://cve.org/CVERecord?id=CVE-2026-3431
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-3431.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2026-3431
- Published
- 2026-03-02T13:16:05.197Z
- Modified
- 2026-04-10T05:43:01.951128Z
- Severity
-
- 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- [none]
- Details
-
On SimStudio version below to 0.5.74, the MongoDB tool endpoints accept arbitrary connection parameters from the caller without authentication or host restrictions. An attacker can leverage these endpoints to connect to any reachable MongoDB instance and perform unauthorized operations including reading, modifying, and deleting data.
- References
Affected packages
Git / github.com/simstudioai/sim
Affected versions
python-sdk-v0.*
python-sdk-v0.1.1
python-sdk-v0.1.2
typescript-sdk-v0.*
typescript-sdk-v0.1.1
typescript-sdk-v0.1.2
v0.*
v0.2.1
v0.2.2
v0.2.3
v0.2.4
v0.2.5
v0.2.6
v0.2.7
v0.3.19
v0.3.21
v0.3.22
v0.3.23
v0.3.24
v0.3.26
v0.3.27
v0.3.28
v0.3.30
v0.3.31
v0.3.32
v0.3.33
v0.3.34
v0.3.35
v0.3.36
v0.3.37
v0.3.38
v0.3.39
v0.3.40
v0.3.41
v0.3.42
v0.3.43
v0.3.44
v0.3.45
v0.3.46
v0.3.47
v0.3.50
v0.3.51
v0.3.52
v0.3.53
v0.3.54
v0.3.55
v0.3.56
v0.3.57
v0.3.58
v0.4.0
v0.4.1
v0.4.10
v0.4.11
v0.4.2
v0.4.3
v0.4.4
v0.4.5
v0.4.6
v0.4.7
v0.4.8
v0.4.9
v0.5
v0.5.1
v0.5.11
v0.5.12
v0.5.13
v0.5.14
v0.5.15
v0.5.16
v0.5.17
v0.5.18
v0.5.19
v0.5.2
v0.5.20
v0.5.21
v0.5.22
v0.5.23
v0.5.24
v0.5.25
v0.5.26
v0.5.27
v0.5.28
v0.5.29
v0.5.30
v0.5.31
v0.5.32
v0.5.33
v0.5.34
v0.5.35
v0.5.36
v0.5.37
v0.5.38
v0.5.39
v0.5.40
v0.5.41
v0.5.42
v0.5.43
v0.5.44
v0.5.45
v0.5.46
v0.5.47
v0.5.48
v0.5.49
v0.5.5
v0.5.50
v0.5.51
v0.5.52
v0.5.53
v0.5.54
v0.5.55
v0.5.56
v0.5.57
v0.5.58
v0.5.59
v0.5.6
v0.5.60
v0.5.61
v0.5.62
v0.5.63
v0.5.64
v0.5.65
v0.5.66
v0.5.67
v0.5.68
v0.5.7
v0.5.70
v0.5.71
v0.5.72
v0.5.73
v0.5.8
v0.5.9