Skip to main content

SimStudioAI Sim CVE-2026-13510

| EUVDEUVD-2026-40007 LOW
Use of Weak Hash (CWE-328)
2026-06-28 VulDB GHSA-g2q4-cj5p-88qg
2.9
CVSS 4.0 · Vendor: VulDB

Severity by source

Vendor (VulDB) PRIMARY
2.9 MEDIUM
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
3.7 LOW

Network-accessible attack requires cookie interception as prerequisite (AC:H); no prior privileges needed to receive the token (PR:N); impact is limited to partial confidentiality from hash slot leakage with no integrity or availability consequence.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
4.0 AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (VulDB).

CVSS VectorVendor: VulDB

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

6
Severity Changed
Jun 28, 2026 - 23:22 NVD
MEDIUM LOW
CVSS changed
Jun 28, 2026 - 23:22 NVD
6.3 (MEDIUM) 2.9 (LOW)
Severity Changed
Jun 28, 2026 - 23:22 NVD
MEDIUM LOW
CVSS changed
Jun 28, 2026 - 23:22 NVD
6.3 (MEDIUM) 2.9 (LOW)
Source Code Evidence Fetched
Jun 28, 2026 - 23:21 vuln.today
Analysis Generated
Jun 28, 2026 - 23:21 vuln.today

DescriptionCVE.org

A vulnerability was found in SimStudioAI sim up to 0.6.92. Affected by this vulnerability is an unknown functionality in the library apps/sim/lib/core/security/deployment.ts of the component Password Protection Handler. Performing a manipulation results in use of weak hash. The attack is possible to be carried out remotely. The attack's complexity is rated as high. The exploitation appears to be difficult. The exploit has been made public and could be used. The pull request to fix this issue awaits acceptance.

AnalysisAI

Deployment authentication token weakness in SimStudioAI Sim up to 0.6.92 leaks a truncated SHA-256 derivative of the encrypted deployment password inside base64-encoded auth cookies, enabling offline hash cracking and potential token forgery against password-protected deployments. The vulnerable Password Protection Handler embeds only the first 8 hex characters (32 bits) of an unsalted SHA-256 hash of the encrypted password directly in the unprotected token payload - a CWE-328 use of weak hash - allowing an attacker who obtains the cookie to brute-force the narrow hash space and fingerprint or bypass deployment authentication. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify password-protected Sim deployment
Delivery
Intercept or steal deployment auth cookie
Exploit
Base64-decode token payload
Execution
Extract 8-char SHA-256 password slot
Persist
Brute-force 32-bit hash offline
Impact
Forge or replay deployment access token

Vulnerability AssessmentAI

Exploitation Exploitation requires that the targeted SimStudioAI Sim instance has the Password Protection feature enabled on at least one deployed agent - deployments without password protection do not issue the vulnerable auth tokens. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector (AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P) scores 6.3 and accurately reflects a network-accessible, high-complexity attack limited to confidentiality impact on the vulnerable system with no integrity or availability consequence. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker targeting a SimStudioAI Sim deployment with password protection enabled intercepts a victim's deployment auth cookie via network sniffing on non-HTTPS traffic or through a client-side cookie theft vector. The attacker base64-decodes the token, extracts the 8-character hex `passwordSlot` field, and runs an offline brute-force or dictionary attack against the 32-bit SHA-256 hash space to recover the encrypted password derivative. …
Remediation No officially merged or released patch exists at time of analysis - fix PR #4760 (https://github.com/simstudioai/sim/pull/4760) is pending acceptance. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-13510 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy