CVE-2026-59148

Source
https://cve.org/CVERecord?id=CVE-2026-59148
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-59148.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-59148
Aliases
  • GHSA-rqx4-3f6q-3x2v
Published
2026-07-09T18:27:18.579Z
Modified
2026-07-15T01:49:14.704603175Z
Severity
  • 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Mockoon: Unauthenticated admin API + wildcard CORS allows mock-state hijack and secret theft
Details

Mockoon provides way to design and run mock APIs. Prior to 9.7.0, Mockoon's admin API in commons-server/src/libs/server/admin-api.ts is mounted on the same Express listener as user-defined mock routes, enabled by default in shipped runtimes, serves Access-Control-Allow-Origin: * with write methods allowed, and has no authentication. Any unauthenticated caller who can reach the mock server port can read MOCKOON_* environment variables, write arbitrary process environment variables through /mockoon-admin/env-vars, rewrite mock route bodies, statuses, and headers through PUT /mockoon-admin/environment, read transaction logs and SSE streams, and purge state. This issue is fixed in version 9.7.0.

Database specific
{
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/59xxx/CVE-2026-59148.json",
    "cwe_ids": [
        "CWE-306",
        "CWE-352",
        "CWE-732",
        "CWE-942"
    ]
}
References

Affected packages

Git / github.com/mockoon/mockoon

Affected ranges

Type
GIT
Repo
https://github.com/mockoon/mockoon
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Fixed
Database specific
{
    "source": [
        "AFFECTED_FIELD",
        "REFERENCES"
    ],
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "9.7.0"
        }
    ]
}

Affected versions

cli-v1.*
cli-v1.6.1
cli-v1.6.2
cli-v2.*
cli-v2.0.0
cli-v2.1.0
cli-v2.2.0
cli-v2.2.1
cloud-v9.*
cloud-v9.3.1
cloud-v9.3.2
Other
libs-v2023-01
libs-v2023-03
libs-v3.*
libs-v3.0.0
libs-v3.1.0
libs-v4.*
libs-v4.0.0
libs-v4.1.0
libs-v5.*
libs-v5.0.0
libs-v5.1.0
libs-v6.*
libs-v6.0.0
libs-v6.0.1
libs-v6.1.0
libs-v6.2.0
libs-v7.*
libs-v7.0.0
libs-v8.*
libs-v8.0.0
libs-v8.1.0
libs-v8.1.1
libs-v8.2.0
libs-v8.3.0
libs-v8.4.0
libs-v9.*
libs-v9.0.0
libs-v9.1.0
libs-v9.2.0
libs-v9.3.0
libs-v9.4.0
libs-v9.5.0
libs-v9.6.0
libs-v9.6.1
libs-v9.7.0
v0.*
v0.1.0
v0.1.1
v0.2.0
v0.3.0
v0.4.0
v1.*
v1.0.0
v1.1.0
v1.10.0
v1.11.0
v1.12.0
v1.13.0
v1.14.0
v1.14.1
v1.15.0
v1.16.0
v1.17.0
v1.18.0
v1.18.1
v1.19.0
v1.2.0
v1.20.0
v1.21.0
v1.21.1
v1.22.0
v1.23.0
v1.3.0
v1.4.0
v1.5.0
v1.5.1
v1.6.0
v1.7.0
v1.8.0
v1.9.0
v3.*
v3.0.0
v3.1.0
v4.*
v4.0.0
v4.1.0
v5.*
v5.0.0
v5.1.0
v6.*
v6.0.0
v6.0.1
v6.1.0
v6.2.0
v7.*
v7.0.0
v8.*
v8.0.0
v8.1.0
v8.1.1
v8.2.0
v8.3.0
v8.4.0
v9.*
v9.0.0
v9.1.0
v9.2.0
v9.3.0
v9.4.0
v9.5.0
v9.6.0
v9.6.1
v9.7.0

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-59148.json"