๐Ÿ” CVE Alert

CVE-2026-59148

HIGH 8.8

Mockoon: Unauthenticated admin API + wildcard CORS allows mock-state hijack and secret theft

CVSS Score
8.8
EPSS Score
0.0%
EPSS Percentile
0th

Mockoon provides way to design and run mock APIs. Prior to 9.7.0, Mockoon's admin API in commons-server/src/libs/server/admin-api.ts is mounted on the same Express listener as user-defined mock routes, enabled by default in shipped runtimes, serves Access-Control-Allow-Origin: * with write methods allowed, and has no authentication. Any unauthenticated caller who can reach the mock server port can read MOCKOON_* environment variables, write arbitrary process environment variables through /mockoon-admin/env-vars, rewrite mock route bodies, statuses, and headers through PUT /mockoon-admin/environment, read transaction logs and SSE streams, and purge state. This issue is fixed in version 9.7.0.

CWE CWE-306 CWE-352 CWE-732 CWE-942
Vendor mockoon
Product mockoon
Published Jul 9, 2026
Last Updated Jul 9, 2026
Stay Ahead of the Next One

Get instant alerts for mockoon mockoon

Be the first to know when new high vulnerabilities affecting mockoon mockoon are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Affected Versions

mockoon / mockoon
< 9.7.0

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/mockoon/mockoon/security/advisories/GHSA-rqx4-3f6q-3x2v github.com: https://github.com/mockoon/mockoon/pull/2254 github.com: https://github.com/mockoon/mockoon/commit/c420b5a56918475b8663977b51e5f986e45b3299 github.com: https://github.com/mockoon/mockoon/releases/tag/v9.7.0 mockoon.com: https://mockoon.com/releases/9.7.0