CVE-2025-27936

Name of the Vulnerable Software and Affected Versions Mattermost Plugin MSTeams versions prior to 2.1.0 Mattermost Server versions 10.5.x through 10.5.1

Description The issue allows an attacker to retrieve the webhook secret of the MSTeams plugin via a timing attack during webhook secret comparison. This is due to the failure to perform constant time comparison on a MSTeams plugin webhook secret.

Recommendations For Mattermost Plugin MSTeams versions prior to 2.1.0, update to version 2.1.0 or later to resolve the issue. For Mattermost Server versions 10.5.x through 10.5.1 with the MS Teams plugin enabled, update to a version later than 10.5.1 or disable the MS Teams plugin until a patch is available.