SimStudio version entries prior to 0.5.74 contain a flaw in the "/api/auth/oauth/token" endpoint that ignores authorization checks when the request includes the parameters credentialAccountUserId and providerId. The result is that an unauthenticated user can request an OAuth access token for any account by simply supplying a user ID and the name of the third‑party provider. The stolen tokens can then be used to impersonate the user on the external service, giving the attacker full access to the services that rely on OAuth for authentication. This vulnerability represents a new credential theft primitive that bypasses all access controls and can be used to compromise users without needing any prior knowledge of their credentials.

The affected product is SimStudioAI’s Sim product. Vulnerable releases are all SimStudio versions earlier than 0.5.74. No other vendors or products are listed. The exact affected versions are not enumerated, but the warning applies to any installation that has not yet reached the 0.5.74 release.

The CVSS score of 9.3 indicates a critical severity. The EPSS score of <1% suggests an overall low likelihood of exploitation at present, and the vulnerability has not yet been reported in CISA’s Known Exploited Vulnerabilities catalog. Exploitability requires only network access to the target’s API and does not depend on user interaction; therefore an attacker can execute the attack simply by sending a crafted HTTP request. The lack of authentication checks means the attacker can recover tokens for any user, potentially enabling lateral movement and full compromise of the victim’s third‑party accounts.