Vulnerability in Mockoon's Admin API Allows Unauthenticated Access
CVE-2026-59148

8.8HIGH

Key Information:

Vendor

Mockoon

Status
Vendor
CVE Published:
9 July 2026

What is CVE-2026-59148?

Mockoon, a platform for designing and running mock APIs, faced a critical exposure issue in its admin API prior to version 9.7.0. By default, this API was mounted on the same Express listener as user-defined mock routes, allowing any unauthenticated users to access the mock server without restrictions. This vulnerability enabled unauthorized access to sensitive environment variables prefixed with MOCKOON_ as well as the potential to modify process environment variables. Attackers could rewrite mock route data, statuses, and headers, read transaction logs, and even purge server state through various endpoints like /mockoon-admin/env-vars and PUT /mockoon-admin/environment. This flaw is mitigated in version 9.7.0.

Affected Version(s)

mockoon < 9.7.0

References

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.