CVE-2026-2476 — Sensitive Information Exposure in Mattermost Mattermost-plugin-msteams

CWE-200 — Sensitive Information Exposure6 documents5 sources

Severity

4.3MEDIUMNVD

CNA7.6

EPSS

0.0%

top 91.03%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Github.com Mattermost Mattermost-plugin-msteams Mattermost MS Teams Mattermost

Timeline

PublishedMar 16

Latest updateMar 23

Description

Mattermost Plugins versions <=2.0.3.0 fail to properly mask sensitive configuration values which allows an attacker with access to support packets to obtain original plugin settings via exported configuration data. Mattermost Advisory ID: MMSA-2026-00606

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages3 packages

▶Gogithub.com/mattermost_mattermost-plugin-msteams< 1.15.1-0.20260102165339-036c761bd3cb

▶NVDmattermost/ms_teams< 2.3.1

▶CVEListV5mattermost/mattermost2.0.3

🔴Vulnerability Details

OSV

Mattermost Microsoft Teams Plugin fails to properly mask sensitive configuration values in github.com/mattermost/mattermost-plugin-msteams↗2026-03-23

▶

OSV

Mattermost Microsoft Teams Plugin fails to properly mask sensitive configuration values↗2026-03-16

▶

CVEList

MS Teams plugin sensitive config values not properly masked in support packets↗2026-03-16

▶

GHSA

Mattermost Microsoft Teams Plugin fails to properly mask sensitive configuration values↗2026-03-16

▶

🕵️Threat Intelligence

Wiz

CVE-2026-2476 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶