CVE-2026-59148
Received Received - Intake

Remote Code Execution in Mockoon Admin API

Vulnerability report for CVE-2026-59148, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-09

Last updated on: 2026-07-09

Assigner: GitHub, Inc.

Description

Mockoon provides way to design and run mock APIs. Prior to 9.7.0, Mockoon's admin API in commons-server/src/libs/server/admin-api.ts is mounted on the same Express listener as user-defined mock routes, enabled by default in shipped runtimes, serves Access-Control-Allow-Origin: * with write methods allowed, and has no authentication. Any unauthenticated caller who can reach the mock server port can read MOCKOON_* environment variables, write arbitrary process environment variables through /mockoon-admin/env-vars, rewrite mock route bodies, statuses, and headers through PUT /mockoon-admin/environment, read transaction logs and SSE streams, and purge state. This issue is fixed in version 9.7.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-09
Last Modified
2026-07-09
Generated
2026-07-10
AI Q&A
2026-07-09
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
mockoon mockoon to 9.7.0 (exc)
mockoon mockoon 9.7.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-306 The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
CWE-942 The product uses a web-client protection mechanism such as a Content Security Policy (CSP) or cross-domain policy file, but the policy includes untrusted domains with which the web client is allowed to communicate.
CWE-732 The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-59148 is a vulnerability in Mockoon versions prior to 9.7.0 where the Admin API is exposed without authentication on the same port as user-defined mock routes. This Admin API serves Access-Control-Allow-Origin: * with write methods allowed and no authentication, allowing any unauthenticated user who can reach the mock server port to perform unauthorized actions.

  • Read MOCKOON_* environment variables, including sensitive secrets.
  • Write arbitrary process environment variables through the /mockoon-admin/env-vars endpoint.
  • Rewrite mock route bodies, statuses, and headers via PUT /mockoon-admin/environment.
  • Read transaction logs and server-sent event (SSE) streams.
  • Purge state, causing denial-of-service.

This vulnerability allows attackers to manipulate mock API behavior, steal secrets, and disrupt services without any authentication.

Impact Analysis

This vulnerability can have severe impacts including unauthorized access to sensitive environment variables such as API keys and JWT secrets, which can lead to further compromise of systems.

Attackers can modify mock API responses, status codes, and headers in real-time, potentially misleading developers, automated tests, or downstream consumers relying on these mocks.

It can cause denial-of-service by purging the state of the mock server.

If the mock server is exposed to the internet or accessed via malicious websites, attackers can exploit this vulnerability remotely, increasing the risk and severity.

Overall, it compromises the integrity, confidentiality, and availability of the mock API environment.

Detection Guidance

This vulnerability can be detected by checking if the Mockoon Admin API is exposed without authentication on the mock server port (default 0.0.0.0:3000). Since the vulnerable versions serve the Admin API on the same Express listener as user-defined mock routes with permissive CORS settings and no authentication, an unauthenticated request to the admin endpoints can reveal sensitive environment variables or allow modification of mock routes.

To detect the vulnerability, you can attempt to access the Admin API endpoints without authentication and observe the responses.

  • Use curl or similar tools to send requests to the admin API endpoints, for example:
  • curl http://<mockoon-server-ip>:3000/mockoon-admin/env-vars -X GET
  • curl http://<mockoon-server-ip>:3000/mockoon-admin/environment -X PUT -d '{}' -H 'Content-Type: application/json'

If these requests succeed without authentication and return environment variables or allow modifications, the system is vulnerable.

Additionally, scanning your network for open ports exposing Mockoon's default port (3000) and checking for permissive CORS headers (Access-Control-Allow-Origin: *) on the Admin API endpoints can help detect exposure.

Mitigation Strategies

Immediate mitigation steps include updating Mockoon to version 9.7.0 or later, where the Admin API is secured with mandatory Bearer token authentication and tightened CORS restrictions.

If updating immediately is not possible, restrict network access to the Mockoon server port (default 3000) to trusted hosts only, for example by firewall rules or network segmentation.

Disable or bind the Admin API to localhost (loopback interface) to prevent remote access.

Review and remove any exposure of the Admin API on public or untrusted networks, including through tunneling services like ngrok.

Configure the Admin API to require authentication tokens using the new CLI flags (`--admin-api-token`) and set appropriate CORS origins (`--admin-api-cors-origin`) to limit cross-origin requests.

Audit environment variables and mock routes for any unauthorized changes and rotate any potentially compromised secrets.

Compliance Impact

The vulnerability in Mockoon's Admin API prior to version 9.7.0 allows unauthenticated attackers to read sensitive environment variables, including secrets like API keys and JWT secrets, and to write arbitrary environment variables, potentially poisoning secrets used by the operator or downstream services.

Such unauthorized access and manipulation of sensitive data could lead to exposure of personal or confidential information, which may violate data protection regulations such as GDPR or HIPAA that require strict controls over access to sensitive data.

The vulnerability also enables attackers to rewrite mock route responses and harvest authentication tokens, increasing the risk of data breaches and unauthorized data manipulation.

The fix introduced in version 9.7.0 enforces mandatory authentication, restricts CORS settings, redacts sensitive data in logs and API responses, and enforces environment variable write prefixes, thereby mitigating risks of unauthorized data exposure and manipulation.

Operators who do not update or secure their Mockoon deployments risk non-compliance with common security standards and regulations that mandate protection of sensitive data and controlled access.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-59148. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart