CVE-2025-27936

MEDIUM

Mattermost Plugin MSTeams <2.1.0 & Mattermost Server 10.5.x <=10.5....

Title source: llm

Description

Mattermost Plugin MSTeams versions <2.1.0 and Mattermost Server versions 10.5.x <=10.5.1 with the MS Teams plugin enabled fail to perform constant time comparison on a MSTeams plugin webhook secret which allows an attacker to retrieve the webhook secret of the MSTeams plugin via a timing attack during webhook secret comparison.

References (1)

[Vendor Advisory] https://mattermost.com/security-updates

Scores

CVSS v3 5.3

EPSS 0.0021

EPSS Percentile 43.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-208

Status published

Products (4)

mattermost/mattermost 10.5.0 - 10.5.2Go

mattermost/mattermost-plugin-msteams 0 - 2.1.0Go

mattermost/mattermost_server < 10.5.2

mattermost/ms_teams < 2.1.0

Published Apr 16, 2025

Tracked Since Feb 18, 2026