CVE-2026-32994

CVE-2026-32994 PUBLISHED

Assigner: hackerone
Reserved: 17.03.2026 Published: 19.05.2026 Updated: 19.05.2026

The /api/v1/autotranslate.translateMessage endpoint in versions <8.5.0, <8.4.2, <8.3.4, <8.2.4, <8.1.5, <8.0.6, <7.13.8, and <7.10.12 allows any authenticated user to retrieve the full content of any message from any room (private groups, direct messages, channels) by simply providing the target message ID. The endpoint fetches the message via Messages.findOneById(messageId) with no room access check (canAccessRoomIdAsync is never called), returning the complete IMessage object including message text, sender info, room ID, timestamps, and markdown content.

Metrics

CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
CVSS Score: 5.3

Attack Vector	Network	Scope	Unchanged
Attack Complexity	High	Confidentiality Impact	High
Privileges Required	Low	Integrity Impact	None
User Interaction	None	Availability Impact	None

CVSS 3.0

Product Status

Vendor	Rocket.Chat
Product	Rocket.Chat
Versions	Default: unaffected affected from 0 to 8.5.0 (excl.) affected from 0 to 8.4.2 (excl.) affected from 0 to 8.3.4 (excl.) affected from 0 to 8.2.4 (excl.) affected from 0 to 8.1.5 (excl.) affected from 0 to 8.0.6 (excl.) affected from 0 to 7.13.8 (excl.) affected from 0 to 7.10.12 (excl.)

Vendor

Rocket.Chat

Product

Rocket.Chat

Versions

Default: unaffected

affected from 0 to 8.5.0 (excl.)
affected from 0 to 8.4.2 (excl.)
affected from 0 to 8.3.4 (excl.)
affected from 0 to 8.2.4 (excl.)
affected from 0 to 8.1.5 (excl.)
affected from 0 to 8.0.6 (excl.)
affected from 0 to 7.13.8 (excl.)
affected from 0 to 7.10.12 (excl.)

References

Problem Types

CWE-284 Improper Access Control - Generic CWE