Mattermost Plugins <=2.0.3.0: Sensitive Config Not Masked on Export
CVE-2026-2476 Published on March 16, 2026

MS Teams plugin sensitive config values not properly masked in support packets
Mattermost Plugins versions <=2.0.3.0 fail to properly mask sensitive configuration values which allows an attacker with access to support packets to obtain original plugin settings via exported configuration data. Mattermost Advisory ID: MMSA-2026-00606

Vendor Advisory NVD

Vulnerability Analysis

CVE-2026-2476 is exploitable with network access, and requires user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality, with no impact on integrity, and no impact on availability.

Attack Vector:
NETWORK
Attack Complexity:
LOW
Privileges Required:
HIGH
User Interaction:
NONE
Scope:
CHANGED
Confidentiality Impact:
HIGH
Integrity Impact:
LOW
Availability Impact:
NONE

Weakness Type

What is an Information Disclosure Vulnerability?

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

CVE-2026-2476 has been classified to as an Information Disclosure vulnerability or weakness.


Products Associated with CVE-2026-2476

Want to know whenever a new CVE is published for MatterMost? stack.watch will email you.

MatterMost
 

Affected Versions

Mattermost: