Description
Mattermost Plugins versions <=2.0.3.0 fail to properly mask sensitive configuration values which allows an attacker with access to support packets to obtain original plugin settings via exported configuration data. Mattermost Advisory ID: MMSA-2026-00606
Published: 2026-03-16
Score: 7.6 High
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Immediate Patch
AI Analysis

Impact

The vulnerability resides in Mattermost Teams plugins up to version 2.0.3.0, where sensitive configuration values are not properly masked before being exported in support packets. An attacker who can access these packets can retrieve the original plugin settings, potentially exposing credentials, tokens, or other confidential data. The weakness belongs to the CWE-200 class, emphasizing unauthorized disclosure of information.

Affected Systems

Mattermost’s MS Teams plugins, specifically any installations running versions 2.0.3.0 or earlier, are affected. The issue impacts the Mattermost product as a whole, as the plugin configuration is part of its exported support data.

Risk and Exploitability

The CVSS score of 7.6 indicates high severity, while an EPSS score below 1% suggests low current exploitation probability. The vulnerability is not listed in the CISA KEV catalog, implying no known widespread exploitation yet. The attack vector is inferred to be local or remote depending on an attacker’s ability to obtain support packets, which generally requires privileged access or a supply chain compromise. Once the packet is accessed, the attacker can read the unmasked settings, leading to potential credential compromise and further attacks.

Generated by OpenCVE AI on March 20, 2026 at 19:27 UTC.

Remediation

Vendor Solution

Update Mattermost Plugins to versions 2.3.1.0 or higher.

OpenCVE Recommended Actions

  • Update Mattermost Plugins to version 2.3.1.0 or higher
  • Verify plugin version after update
  • If immediate update is unavailable, limit access to support packets and remove sensitive configuration values before exporting
  • Monitor for any unmasked configuration data being exported

Generated by OpenCVE AI on March 20, 2026 at 19:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-4ppj-6chv-5pgc Mattermost Microsoft Teams Plugin fails to properly mask sensitive configuration values
References
Link Providers
https://mattermost.com/security-updates cve-icon cve-icon
History

Fri, 20 Mar 2026 18:30:00 +0000

Type Values Removed Values Added
First Time appeared Mattermost
Mattermost ms Teams
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:mattermost:ms_teams:*:*:*:*:*:mattermost:*:*
Vendors & Products Mattermost
Mattermost ms Teams

Mon, 16 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 16 Mar 2026 11:30:00 +0000

Type Values Removed Values Added
Description Mattermost Plugins versions <=2.0.3.0 fail to properly mask sensitive configuration values which allows an attacker with access to support packets to obtain original plugin settings via exported configuration data. Mattermost Advisory ID: MMSA-2026-00606
Title MS Teams plugin sensitive config values not properly masked in support packets
Weaknesses CWE-200
References
Metrics cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:N'}

Subscriptions

Mattermost Ms Teams
cve-icon MITRE

Status: PUBLISHED

Assigner: Mattermost

Published:

Updated: 2026-03-16T13:49:58.500Z

Reserved: 2026-02-13T15:59:24.864Z

Link: CVE-2026-2476

cve-icon Vulnrichment

Updated: 2026-03-16T13:44:21.926Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-16T14:19:30.373

Modified: 2026-03-20T18:29:11.980

Link: CVE-2026-2476

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-30T07:02:48Z

Weaknesses