PatchSiren cyber security CVE debrief
CVE-2026-59149 mockoon CVE debrief
CVE-2026-59149 is a medium-severity vulnerability in Mockoon, a tool for designing and running mock APIs. The issue allows an unauthenticated client to read files from sibling paths outside the served directory through HTTP sendFile, WebSocket, or callbacks. This is due to a flawed prefix test in the getSafeFilePath function, which does not properly validate path separators, permitting a ../-escaped path to access files outside the intended directory.
- Vendor
- mockoon
- Product
- Unknown
- CVSS
- MEDIUM 6.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-09
- Original CVE updated
- 2026-07-10
- Advisory published
- 2026-07-09
- Advisory updated
- 2026-07-10
Who should care
Users of Mockoon, especially those who expose Mockoon to untrusted networks or use it in production environments, should be aware of this vulnerability. Developers and administrators responsible for deploying and managing Mockoon instances should prioritize patching to version 9.7.0 or later.
Technical summary
The vulnerability exists in the getSafeFilePath function within the server.ts file of Mockoon's commons-server package. The function is intended to confine file paths within a specified base directory. However, due to a flawed implementation that lacks proper path-separator boundary checks, an attacker can manipulate file paths using ../ escape sequences. This allows an unauthenticated client to access files outside the served directory, potentially leading to unauthorized file disclosure.
Defensive priority
Medium
Recommended defensive actions
- Upgrade Mockoon to version 9.7.0 or later
- Review and restrict access to Mockoon instances, especially if they are exposed to untrusted networks
- Implement additional monitoring and logging to detect potential exploitation attempts
- Consider using compensating controls such as Web Application Firewalls (WAFs) to detect and prevent directory traversal attacks
- Confirm whether affected Mockoon deployments exist in managed environments and assign an owner for follow-up
- Review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance
- Plan vendor-supported updates or mitigations through normal change control where exposure is confirmed
Evidence notes
The CVE record was published on 2026-07-09T19:17:07.207Z and was last modified on 2026-07-10T19:15:15.780Z. The NVD entry is currently Deferred. The vulnerability has a CVSS score of 6.5 and a severity of MEDIUM. The CVE is associated with CWE-22 and CWE-23.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-09T19:17:07.207Z and has not been modified since then.