Vulnerability in Mockoon's Admin API Allows Unauthenticated Access
CVE-2026-59148
8.8HIGH
What is CVE-2026-59148?
Mockoon, a platform for designing and running mock APIs, faced a critical exposure issue in its admin API prior to version 9.7.0. By default, this API was mounted on the same Express listener as user-defined mock routes, allowing any unauthenticated users to access the mock server without restrictions. This vulnerability enabled unauthorized access to sensitive environment variables prefixed with MOCKOON_ as well as the potential to modify process environment variables. Attackers could rewrite mock route data, statuses, and headers, read transaction logs, and even purge server state through various endpoints like /mockoon-admin/env-vars and PUT /mockoon-admin/environment. This flaw is mitigated in version 9.7.0.
Affected Version(s)
mockoon < 9.7.0
