Severity by source
AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:N
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:N
Lifecycle Timeline
4DescriptionCVE.org
Mattermost Plugins versions <=2.0.3.0 fail to properly mask sensitive configuration values which allows an attacker with access to support packets to obtain original plugin settings via exported configuration data. Mattermost Advisory ID: MMSA-2026-00606
AnalysisAI
A sensitive information disclosure vulnerability in Mattermost Plugins versions 2.0.3.0 and earlier fails to properly mask sensitive configuration values in support packets, allowing attackers with high privileges to extract original plugin settings from exported configuration data. The vulnerability requires authenticated access with high privileges (CVSS 7.6) and enables attackers to obtain sensitive configuration data that should be masked, potentially exposing API keys, credentials, or other sensitive plugin configurations. No active exploitation or proof-of-concept has been reported, and the vulnerability requires significant access privileges to exploit.
Technical ContextAI
The vulnerability affects Mattermost Plugins as identified by CPE cpe:2.3:a:mattermost:mattermost:*:*:*:*:*:*:*:*, specifically versions up to and including 2.0.3.0. The root cause is CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor), which occurs when the software exposes sensitive information through observable discrepancies in behavior, response times, or resource consumption. In this case, the plugin framework fails to properly sanitize or mask sensitive configuration values when generating support packets, which are diagnostic exports typically used for troubleshooting that should redact sensitive data before sharing.
RemediationAI
Upgrade Mattermost Plugins to a version newer than 2.0.3.0 as recommended in Mattermost security advisory MMSA-2026-00606 available at https://mattermost.com/security-updates. As an immediate mitigation, restrict access to support packet generation functionality to only essential personnel and implement additional access controls around diagnostic export features. Organizations should audit existing support packets for potential exposure of sensitive configuration data and rotate any credentials that may have been inadvertently exposed through previously generated support packets.
Same weakness CWE-200 – Information Exposure
View allSame technique Information Disclosure
View allVendor StatusVendor
SUSE
Severity: High| Product | Status |
|---|---|
| openSUSE Leap 15.6 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP5 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP6 | Fixed |
| openSUSE Leap 15.5 | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-12387
GHSA-4ppj-6chv-5pgc