CVE-2026-59148
Mockoon · Mockoon
Mockoon is susceptible to multiple vulnerabilities, including missing authentication for critical functions and Cross-Site Request Forgery (CSRF), potentially allowing unauthorized administrative actions.
Executive summary
Missing authentication and CSRF vulnerabilities in Mockoon could allow an attacker to perform unauthorized actions, leading to full system compromise.
Vulnerability
This issue encompasses missing authentication for critical functions (CWE-306), CSRF (CWE-352), and incorrect permission assignments (CWE-732). These flaws allow an attacker to bypass security controls and execute unauthorized administrative commands, effectively hijacking the application's functionality.
Business impact
The combination of these vulnerabilities poses a severe risk to the integrity and availability of mock API environments. With a CVSS score of 8.8, successful exploitation could lead to unauthorized access, data compromise, and the manipulation of API configurations, which could be used to facilitate further attacks on downstream development or testing environments.
Remediation
Immediate Action: Update the Mockoon software to version 9.7.0 or newer to address these security deficiencies.
Proactive Monitoring: Review application access logs for unusual administrative activity or requests originating from unexpected sources.
Compensating Controls: Restrict access to the Mockoon dashboard to trusted network segments or VPNs, and ensure that any web-based management interface is protected by secondary authentication measures.
Exploitation status
Public Exploit Available: false
Analyst recommendation
Users of Mockoon must upgrade to version 9.7.0 immediately. The presence of multiple high-severity weaknesses, including CSRF and broken authentication, makes the application a significant target for internal and external actors if left unpatched.