{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3432", "assignerOrgId": "5ac1ecc2-367a-4d16-a0b2-35d495ddd0be", "state": "PUBLISHED", "assignerShortName": "tenable", "dateReserved": "2026-03-02T12:42:30.208Z", "datePublished": "2026-03-02T13:01:05.290Z", "dateUpdated": "2026-03-02T13:32:11.796Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "sim", "repo": "https://github.com/simstudioai/sim", "vendor": "SimStudioAI", "versions": [{"lessThan": "0.5.74", "status": "affected", "version": "0", "versionType": "custom"}]}], "datePublic": "2026-03-02T12:55:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "On SimStudio version below to 0.5.74, the `/api/auth/oauth/token` endpoint contains a code path that bypasses all authorization checks when provided with `credentialAccountUserId` and `providerId` parameters. An unauthenticated attacker can retrieve OAuth access tokens for any user by supplying their user ID and a provider name, effectively stealing credentials to third-party services."}], "value": "On SimStudio version below to 0.5.74, the `/api/auth/oauth/token` endpoint contains a code path that bypasses all authorization checks when provided with `credentialAccountUserId` and `providerId` parameters. An unauthenticated attacker can retrieve OAuth access tokens for any user by supplying their user ID and a provider name, effectively stealing credentials to third-party services."}], "impacts": [{"capecId": "CAPEC-665", "descriptions": [{"lang": "en", "value": "CAPEC-665 Exploitation of Thunderbolt Protection Flaws"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 9.3, "baseSeverity": "CRITICAL", "exploitMaturity": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "CWE-862 Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "5ac1ecc2-367a-4d16-a0b2-35d495ddd0be", "shortName": "tenable", "dateUpdated": "2026-03-02T13:01:05.290Z"}, "references": [{"url": "https://www.tenable.com/security/research/tra-2026-13"}], "source": {"discovery": "UNKNOWN"}, "title": "Sim Studio AI - Unauthenticated OAuth Token Theft", "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-02T13:32:03.820205Z", "id": "CVE-2026-3432", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-02T13:32:11.796Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-3432", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-02T13:32:03.820205Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-02T13:32:08.295Z"}}], "cna": {"title": "Sim Studio AI - Unauthenticated OAuth Token Theft", "source": {"discovery": "UNKNOWN"}, "impacts": [{"capecId": "CAPEC-665", "descriptions": [{"lang": "en", "value": "CAPEC-665 Exploitation of Thunderbolt Protection Flaws"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 9.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/simstudioai/sim", "vendor": "SimStudioAI", "product": "sim", "versions": [{"status": "affected", "version": "0", "lessThan": "0.5.74", "versionType": "custom"}], "defaultStatus": "unaffected"}], "datePublic": "2026-03-02T12:55:00.000Z", "references": [{"url": "https://www.tenable.com/security/research/tra-2026-13"}], "x_generator": {"engine": "Vulnogram 0.5.0"}, "descriptions": [{"lang": "en", "value": "On SimStudio version below to 0.5.74, the `/api/auth/oauth/token` endpoint contains a code path that bypasses all authorization checks when provided with `credentialAccountUserId` and `providerId` parameters. An unauthenticated attacker can retrieve OAuth access tokens for any user by supplying their user ID and a provider name, effectively stealing credentials to third-party services.", "supportingMedia": [{"type": "text/html", "value": "On SimStudio version below to 0.5.74, the `/api/auth/oauth/token` endpoint contains a code path that bypasses all authorization checks when provided with `credentialAccountUserId` and `providerId` parameters. An unauthenticated attacker can retrieve OAuth access tokens for any user by supplying their user ID and a provider name, effectively stealing credentials to third-party services.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "5ac1ecc2-367a-4d16-a0b2-35d495ddd0be", "shortName": "tenable", "dateUpdated": "2026-03-02T13:01:05.290Z"}}}, "cveMetadata": {"cveId": "CVE-2026-3432", "state": "PUBLISHED", "dateUpdated": "2026-03-02T13:32:11.796Z", "dateReserved": "2026-03-02T12:42:30.208Z", "assignerOrgId": "5ac1ecc2-367a-4d16-a0b2-35d495ddd0be", "datePublished": "2026-03-02T13:01:05.290Z", "assignerShortName": "tenable"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:sim:sim:*:*:*:*:*:*:*:*", "matchCriteriaId": "290F2E37-EB57-4D7D-99A8-A944174F757E", "versionEndExcluding": "0.5.74", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "On SimStudio version below to 0.5.74, the `/api/auth/oauth/token` endpoint contains a code path that bypasses all authorization checks when provided with `credentialAccountUserId` and `providerId` parameters. An unauthenticated attacker can retrieve OAuth access tokens for any user by supplying their user ID and a provider name, effectively stealing credentials to third-party services."}, {"lang": "es", "value": "En la versi\u00f3n de SimStudio anterior a la 0.5.74, el endpoint `/api/auth/oauth/token` contiene una ruta de c\u00f3digo que omite todas las comprobaciones de autorizaci\u00f3n cuando se le proporcionan los par\u00e1metros `credentialAccountUserId` y `providerId`. Un atacante no autenticado puede recuperar tokens de acceso OAuth para cualquier usuario proporcionando su ID de usuario y un nombre de proveedor, robando eficazmente credenciales para servicios de terceros."}], "id": "CVE-2026-3432", "lastModified": "2026-03-06T20:30:11.763", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "vulnreport@tenable.com", "type": "Secondary"}]}, "published": "2026-03-02T13:16:05.367", "references": [{"source": "vulnreport@tenable.com", "tags": ["Third Party Advisory"], "url": "https://www.tenable.com/security/research/tra-2026-13"}], "sourceIdentifier": "vulnreport@tenable.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "vulnreport@tenable.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,0.5.74)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "sim", "source": "cna", "vendor": "SimStudioAI"}, "product": "sim", "vendor": "simstudioai"}], "analysis": {"en": {"generated_at": "2026-04-16T14:34:16.297559+00:00", "value": {"mitigation_remediation": ["Upgrade SimStudio to version 0.5.74 or later, which implements proper authorization checks for the OAuth token endpoint.", "Apply a network filter or firewall rule to block unauthenticated requests to the /api/auth/oauth/token endpoint from untrusted networks.", "Implement logging and alerting for repeated unauthenticated requests to /api/auth/oauth/token to detect possible abuse."], "summary": {"action": "Immediate Patch", "impact": "OAuth Token Theft"}, "threat_synthesis": {"affected_systems": "The affected product is SimStudioAI\u2019s Sim product. Vulnerable releases are all SimStudio versions earlier than 0.5.74. No other vendors or products are listed. The exact affected versions are not enumerated, but the warning applies to any installation that has not yet reached the 0.5.74 release.", "description_and_impact": "SimStudio version entries prior to 0.5.74 contain a flaw in the \"/api/auth/oauth/token\" endpoint that ignores authorization checks when the request includes the parameters credentialAccountUserId and providerId. The result is that an unauthenticated user can request an OAuth access token for any account by simply supplying a user ID and the name of the third\u2011party provider. The stolen tokens can then be used to impersonate the user on the external service, giving the attacker full access to the services that rely on OAuth for authentication. This vulnerability represents a new credential theft primitive that bypasses all access controls and can be used to compromise users without needing any prior knowledge of their credentials.", "risk_and_exploitability": "The CVSS score of 9.3 indicates a critical severity. The EPSS score of <1% suggests an overall low likelihood of exploitation at present, and the vulnerability has not yet been reported in CISA\u2019s Known Exploited Vulnerabilities catalog. Exploitability requires only network access to the target\u2019s API and does not depend on user interaction; therefore an attacker can execute the attack simply by sending a crafted HTTP request. The lack of authentication checks means the attacker can recover tokens for any user, potentially enabling lateral movement and full compromise of the victim\u2019s third\u2011party accounts."}}}}, "created": "2026-03-03T08:45:13.218171+00:00", "updated": "2026-04-16T14:45:25.931862+00:00", "vendors": ["simstudioai", "simstudioai$PRODUCT$sim"]}