CVE-2026-3431 | THREATINT

Description

On SimStudio version below to 0.5.74, the MongoDB tool endpoints accept arbitrary connection parameters from the caller without authentication or host restrictions. An attacker can leverage these endpoints to connect to any reachable MongoDB instance and perform unauthorized operations including reading, modifying, and deleting data.

PUBLISHED Reserved 2026-03-02 | Published 2026-03-02 | Updated 2026-03-02 | Assigner tenable

CRITICAL: 9.8CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Problem types

CWE-862 Missing Authorization

Product status

Default status

unaffected

Any version before 0.5.74

affected

References

www.tenable.com/security/research/tra-2026-12

cve.org (CVE-2026-3431)

nvd.nist.gov (CVE-2026-3431)

Download JSON