Primary

Context

SimStudio Unauthenticated OAuth Token Theft Vulnerability

Vulnerability

A vulnerability exists in SimStudio versions prior to 0.5.74, specifically in the '/api/auth/oauth/token' endpoint. This vulnerability allows an unauthenticated attacker to bypass authorization checks by using the 'credentialAccountUserId' and 'providerId' parameters. By supplying a user's ID and a provider name, the attacker can obtain OAuth access tokens for that user, effectively stealing credentials for third-party services.

Impact

Exploitation of this vulnerability allows for unauthorized access to OAuth tokens, which can be used to impersonate users and access their third-party service credentials.

Remediation

Users are advised to update to SimStudio version 0.5.74 or later.

Added: Mar 2, 2026, 1:18 PM

Updated: Mar 2, 2026, 10:07 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

3.5

exploitability

7.4

remediation

0.0

relevance

3.4

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

3.5

exploitability

7.4

remediation

0.0

relevance

3.4

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

SimStudio Unauthenticated OAuth Token Theft Vulnerability

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating