Authorization Bypass in SimStudio Affects User Credential Security
CVE-2026-3432

9.3CRITICAL

Key Information:

Vendor: Simstudioai
Status: Sim
Vendor: CVE Published:; 2 March 2026

🔔 Create Simstudioai Vulnerability Alert

What is CVE-2026-3432?

The SimStudio application, specifically versions below 0.5.74, is vulnerable due to a flawed implementation in the /api/auth/oauth/token endpoint. This flaw allows an unauthenticated attacker to bypass all authorization checks by exploiting credentialAccountUserId and providerId parameters. By doing so, they can retrieve OAuth access tokens belonging to any user by simply providing the user's ID and the corresponding provider name. This vulnerability can lead to unauthorized access to user accounts and the potential for credential theft across third-party services.

Affected Version(s)

sim 0 < 0.5.74

References

https://www.tenable.com/security/research/tra-2026-13

CVSS V4

Score:

9.3

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 2, 2026
Vulnerability Reserved
Mar 2, 2026

CVE-2026-3432 Data

JSON