CVE-2025-27936

Summary

Mattermost Plugin MSTeams versions <2.1.0 and Mattermost Server versions 10.5.x <=10.5.1 with the MS Teams plugin enabled fail to perform constant time comparison on a MSTeams plugin webhook secret which allows an attacker to retrieve the webhook secret of the MSTeams plugin via a timing attack during webhook secret comparison.

Affected Software

VendorProductVersion RangeStatus
MattermostMattermost10.5.0 <= 10.5.1affected
MattermostMattermost10.6.0unaffected
MattermostMattermost10.5.2unaffected

Weaknesses

  • CWE-208: CWE-208: Observable Timing Discrepancy

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References