CVE-2026-3431

Critical

Published: 02 March 2026

Published

02 March 2026

Modified

06 March 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0010 26.3th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-3431 is a critical-severity Missing Authorization (CWE-862) vulnerability in Sim Sim. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 26.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-4 (Information Flow Enforcement).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match

prevent

AC-3 enforces approved authorizations for access to system resources, directly mitigating the lack of authentication on MongoDB tool endpoints that allow unauthorized operations.

SI-10 Information Input Validation partial match

prevent

SI-10 validates information inputs, addressing the acceptance of arbitrary connection parameters without host restrictions to prevent connections to unauthorized MongoDB instances.

AC-4 Information Flow Enforcement partial match

prevent

AC-4 enforces controls on information flows between systems, mitigating the ability to proxy connections to external MongoDB instances without restrictions.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1213.006 Databases Collection

Adversaries may leverage databases to mine valuable information.

attack.mitre.org →

Why these techniques?

Vulnerability in network-accessible SimStudio MongoDB endpoints (missing auth/restrictions) directly enables T1190 exploitation of public-facing apps to proxy/achieve unauthorized access to reachable MongoDB instances, facilitating T1213.006 data collection from databases.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

On SimStudio version below to 0.5.74, the MongoDB tool endpoints accept arbitrary connection parameters from the caller without authentication or host restrictions. An attacker can leverage these endpoints to connect to any reachable MongoDB instance and perform unauthorized operations including…

reading, modifying, and deleting data.

Deeper analysisAI

CVE-2026-3431 is a critical vulnerability in SimStudio versions below 0.5.74, where the MongoDB tool endpoints accept arbitrary connection parameters from callers without authentication or host restrictions. This flaw, mapped to CWE-862 (Missing Authorization), enables attackers to proxy connections through SimStudio to external MongoDB instances. The issue carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its network accessibility and lack of prerequisites.

Remote, unauthenticated attackers who can reach the affected SimStudio instance over the network can exploit the vulnerable endpoints to connect to any reachable MongoDB server. Exploitation allows full unauthorized access to those MongoDB instances, including reading sensitive data, modifying records, and deleting information, potentially leading to complete data compromise.

The primary advisory from Tenable, available at https://www.tenable.com/security/research/tra-2026-12, provides further details on the vulnerability. Mitigation involves upgrading to SimStudio version 0.5.74 or later, which addresses the lack of authentication and restrictions on the MongoDB tool endpoints.