CVE-2026-3431

Sim Studio AI - MongoDB SSRF and Arbitrary Document Deletion

CVSS 9.8 CRITICALEPSS 0.4%CWE-862

Vexday Risk Score

28Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 9.8EPSS 0.4%KEV nãoPoC —Nuclei —Metasploit —Patch —

Lifecycle

02 Mar 2026Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

On SimStudio version below to 0.5.74, the MongoDB tool endpoints accept arbitrary connection parameters from the caller without authentication or host restrictions. An attacker can leverage these endpoints to connect to any reachable MongoDB instance and perform unauthorized operations including reading, modifying, and deleting data.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected products

SimStudioAI · sim

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://www.tenable.com/security/research/tra-2026-12