CVE-2026-2476: Mattermost Microsoft Teams Plugin fails to properly mask sensitive configuration values

March 16, 2026 (updated March 19, 2026)

Mattermost Plugins versions <=2.0.3.0 fail to properly mask sensitive configuration values which allows an attacker with access to support packets to obtain original plugin settings via exported configuration data. Mattermost Advisory ID: MMSA-2026-00606

References

github.com/advisories/GHSA-4ppj-6chv-5pgc
github.com/mattermost/mattermost-plugin-msteams
github.com/mattermost/mattermost-plugin-msteams/commit/036c761bd3cb9ece92c17f2b151dfa906cebdcf6
mattermost.com/security-updates
nvd.nist.gov/vuln/detail/CVE-2026-2476

Code Behaviors & Features

Detect and mitigate CVE-2026-2476 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →