CVE-2026-2476

HIGH

MS Teams plugin sensitive config values not properly masked in support packets

Title source: cna

Description

Mattermost Plugins versions <=2.0.3.0 fail to properly mask sensitive configuration values which allows an attacker with access to support packets to obtain original plugin settings via exported configuration data. Mattermost Advisory ID: MMSA-2026-00606

References (1)

[Vendor Advisory] https://mattermost.com/security-updates

Scores

CVSS v3 7.6

EPSS 0.0004

EPSS Percentile 10.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-200

Status published

Products (4)

Mattermost/Mattermost < 2.0.3

Mattermost/Mattermost 2.3.1.0

mattermost/mattermost-plugin-msteams 0 - 1.15.1-0.20260102165339-036c761bd3cbGo

mattermost/ms_teams < 2.3.1

Published Mar 16, 2026

Tracked Since Mar 16, 2026