Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.3
SimStudio OAuth Token Exposure on Older Versions
CVE-2026-3432
Summary
On older versions of SimStudio, an attacker can obtain unauthorized OAuth access tokens for any user by submitting their user ID and a provider name. This allows them to access third-party services without permission. Update to SimStudio version 0.5.74 or later to fix this issue.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| sim | sim | <= 0.5.74 | – |
Original title
On SimStudio version below to 0.5.74, the `/api/auth/oauth/token` endpoint contains a code path that bypasses all authorization checks when provided with `credentialAccountUserId` and `providerId` ...
Original description
On SimStudio version below to 0.5.74, the `/api/auth/oauth/token` endpoint contains a code path that bypasses all authorization checks when provided with `credentialAccountUserId` and `providerId` parameters. An unauthenticated attacker can retrieve OAuth access tokens for any user by supplying their user ID and a provider name, effectively stealing credentials to third-party services.
nvd CVSS3.1
9.1
nvd CVSS4.0
9.3
Vulnerability type
CWE-862
Missing Authorization
- https://www.tenable.com/security/research/tra-2026-13 Third Party Advisory
Published: 2 Mar 2026 · Updated: 13 Mar 2026 · First seen: 6 Mar 2026