Skip to main content

Suse EUVDEUVD-2026-12387

| CVE-2026-2476 HIGH
Information Exposure (CWE-200)
2026-03-16 Mattermost GHSA-4ppj-6chv-5pgc
7.6
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.6 HIGH
AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:N
SUSE
HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
Low
Availability
None

Lifecycle Timeline

4
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 16, 2026 - 12:00 euvd
EUVD-2026-12387
Analysis Generated
Mar 16, 2026 - 12:00 vuln.today
CVE Published
Mar 16, 2026 - 11:11 nvd
HIGH 7.6

DescriptionCVE.org

Mattermost Plugins versions <=2.0.3.0 fail to properly mask sensitive configuration values which allows an attacker with access to support packets to obtain original plugin settings via exported configuration data. Mattermost Advisory ID: MMSA-2026-00606

AnalysisAI

A sensitive information disclosure vulnerability in Mattermost Plugins versions 2.0.3.0 and earlier fails to properly mask sensitive configuration values in support packets, allowing attackers with high privileges to extract original plugin settings from exported configuration data. The vulnerability requires authenticated access with high privileges (CVSS 7.6) and enables attackers to obtain sensitive configuration data that should be masked, potentially exposing API keys, credentials, or other sensitive plugin configurations. No active exploitation or proof-of-concept has been reported, and the vulnerability requires significant access privileges to exploit.

Technical ContextAI

The vulnerability affects Mattermost Plugins as identified by CPE cpe:2.3:a:mattermost:mattermost:*:*:*:*:*:*:*:*, specifically versions up to and including 2.0.3.0. The root cause is CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor), which occurs when the software exposes sensitive information through observable discrepancies in behavior, response times, or resource consumption. In this case, the plugin framework fails to properly sanitize or mask sensitive configuration values when generating support packets, which are diagnostic exports typically used for troubleshooting that should redact sensitive data before sharing.

RemediationAI

Upgrade Mattermost Plugins to a version newer than 2.0.3.0 as recommended in Mattermost security advisory MMSA-2026-00606 available at https://mattermost.com/security-updates. As an immediate mitigation, restrict access to support packet generation functionality to only essential personnel and implement additional access controls around diagnostic export features. Organizations should audit existing support packets for potential exposure of sensitive configuration data and rotate any credentials that may have been inadvertently exposed through previously generated support packets.

Vendor StatusVendor

SUSE

Severity: High
Product Status
openSUSE Leap 15.6 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP5 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP6 Fixed
openSUSE Leap 15.5 Fixed

Share

EUVD-2026-12387 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy