High severityNVD Advisory· Published Mar 16, 2026· Updated Mar 16, 2026
MS Teams plugin sensitive config values not properly masked in support packets
CVE-2026-2476
Description
Mattermost Plugins versions <=2.0.3.0 fail to properly mask sensitive configuration values which allows an attacker with access to support packets to obtain original plugin settings via exported configuration data. Mattermost Advisory ID: MMSA-2026-00606
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/mattermost/mattermost-plugin-msteamsGo | < 1.15.1-0.20260102165339-036c761bd3cb | 1.15.1-0.20260102165339-036c761bd3cb |
Affected products
1- Range: 0
Patches
1036c761bd3cbfix: values in plugin settings not being masked in plugin configuration (#893)
1 file changed · +5 −2
plugin.json+5 −2 modified@@ -38,19 +38,22 @@ "display_name": "Client Secret", "type": "text", "help_text": "Microsoft Teams Client Secret", + "secret": true, "default": "" }, { "key": "encryptionKey", "display_name": "At Rest Encryption Key:", "type": "generated", - "help_text": "The AES encryption key used to encrypt stored access tokens" + "help_text": "The AES encryption key used to encrypt stored access tokens", + "secret": true }, { "key": "webhookSecret", "display_name": "Webhook secret", "type": "generated", - "help_text": "Microsoft Teams will use this secret to send messages to Mattermost" + "help_text": "Microsoft Teams will use this secret to send messages to Mattermost", + "secret": true }, { "key": "evaluationAPI",
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-4ppj-6chv-5pgcghsaADVISORY
- mattermost.com/security-updatesghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-2476ghsaADVISORY
- github.com/mattermost/mattermost-plugin-msteams/commit/036c761bd3cb9ece92c17f2b151dfa906cebdcf6ghsaWEB
News mentions
0No linked articles in our index yet.