CVE-2026-59148 in Mockoon
Summary
by MITRE • 07/09/2026
Mockoon provides way to design and run mock APIs. Prior to 9.7.0, Mockoon's admin API in commons-server/src/libs/server/admin-api.ts is mounted on the same Express listener as user-defined mock routes, enabled by default in shipped runtimes, serves Access-Control-Allow-Origin: * with write methods allowed, and has no authentication. Any unauthenticated caller who can reach the mock server port can read MOCKOON_* environment variables, write arbitrary process environment variables through /mockoon-admin/env-vars, rewrite mock route bodies, statuses, and headers through PUT /mockoon-admin/environment, read transaction logs and SSE streams, and purge state. This issue is fixed in version 9.7.0.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 07/09/2026
The vulnerability described represents a critical authentication and authorization flaw in Mockoon's admin API implementation that exposes sensitive system functionality to unauthenticated attackers. This issue affects versions prior to 9.7.0 where the admin API endpoints are mounted on the same Express.js server instance as user-defined mock routes, creating a dangerous configuration where administrative functions become accessible without proper authentication mechanisms.
The technical flaw stems from the default exposure of the admin API through commons-server/src/libs/server/admin-api.ts which serves CORS headers with Access-Control-Allow-Origin: * and permits write operations. This configuration allows any external entity that can reach the mock server port to exploit multiple attack vectors simultaneously. The absence of authentication requirements means that unauthorized parties can manipulate the entire mock API environment through several dangerous endpoints including /mockoon-admin/env-vars for environment variable manipulation, PUT /mockoon-admin/environment for rewriting mock route configurations, and access to transaction logs and server-sent event streams.
The operational impact of this vulnerability is severe as it provides attackers with comprehensive control over the mock API server. Attackers can read sensitive MOCKOON_* environment variables that may contain credentials or configuration data, rewrite mock route bodies, statuses, and headers to alter application behavior, access transaction logs for data exfiltration, and purge system state leading to complete service disruption. This vulnerability essentially transforms a legitimate development tool into an attack vector capable of compromising the entire mock API infrastructure.
The flaw aligns with CWE-306 (Missing Authentication) and CWE-287 (Improper Authentication) classifications, representing a fundamental failure in implementing proper access controls for administrative functions. From an ATT&CK perspective, this vulnerability maps to T1566 (Phishing) through potential exploitation of exposed services, T1071.004 (Application Layer Protocol: DNS) if attackers use DNS-based exfiltration, and T1583 (Acquire Infrastructure) through unauthorized access to development environments. The lack of authentication combined with exposure of sensitive administrative endpoints creates a perfect storm for privilege escalation attacks.
Mitigation strategies should include immediate upgrade to version 9.7.0 or later where the issue has been resolved. Organizations should implement network segmentation to restrict access to mock API server ports, deploy authentication mechanisms for administrative endpoints, and ensure that development tools are not exposed to untrusted networks. Additional security measures include implementing proper CORS policies, disabling unnecessary administrative endpoints in production environments, and conducting regular security assessments of development tool configurations to prevent similar exposures of privileged functions.