Missing Authentication for Critical Function Affecting @mockoon/commons-server package, versions <9.7.0


Severity

Recommended
0.0
medium
0
10

CVSS assessment by Snyk's Security Team. Learn more

Threat Intelligence

Exploit Maturity
Proof of Concept
EPSS
0.17% (7th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Missing Authentication for Critical Function vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-JS-MOCKOONCOMMONSSERVER-17957231
  • published13 Jul 2026
  • disclosed9 Jul 2026
  • creditSajda Kabir,zerotrail

Introduced: 9 Jul 2026

NewCVE-2026-59148  (opens in a new tab)
CWE-306  (opens in a new tab)

How to fix?

Upgrade @mockoon/commons-server to version 9.7.0 or higher.

Overview

@mockoon/commons-server is a Mockoon's commons server library. Used in Mockoon desktop application and CLI.

Affected versions of this package are vulnerable to Missing Authentication for Critical Function in admin-api.ts, which mounts the admin API on the same listener as user-defined mock routes (enabled by default via packages/cli/src/commands/start.ts and packages/serverless/src/libs/serverless.ts) and serves every endpoint with Access-Control-Allow-Origin: *, all HTTP methods, and no authentication. An attacker can read MOCKOON_* secrets, overwrite arbitrary process.env variables, rewrite mock route responses at runtime, and harvest consumer request bodies and authentication headers from the logs by sending unauthenticated requests to the /mockoon-admin endpoints, and the wildcard CORS lets these requests land cross-origin from a browser when a developer visits a malicious site while the server runs. Exploitation requires network reach to the mock server port, which by default binds to all interfaces at 0.0.0.0:3000 with the admin API enabled, while the cross-origin path additionally requires the developer to visit a malicious site during a local run.

Workaround

This vulnerability can be avoided by starting the CLI with the --disable-admin-api flag, which turns off the admin API that is otherwise enabled by default while leaving the mock server functional.

CVSS Base Scores

version 4.0
version 3.1