CVE-2026-32994
CVSS Score
5.3
EPSS Score
0.0%
EPSS Percentile
0th
The /api/v1/autotranslate.translateMessage endpoint in versions <8.5.0, <8.4.2, <8.3.4, <8.2.4, <8.1.5, <8.0.6, <7.13.8, and <7.10.12 allows any authenticated user to retrieve the full content of any message from any room (private groups, direct messages, channels) by simply providing the target message ID. The endpoint fetches the message via Messages.findOneById(messageId) with no room access check (canAccessRoomIdAsync is never called), returning the complete IMessage object including message text, sender info, room ID, timestamps, and markdown content.
| CWE | CWE-284 |
| Vendor | rocket.chat |
| Product | rocket.chat |
| Published | May 19, 2026 |
| Last Updated | May 19, 2026 |
Stay Ahead of the Next One
Get instant alerts for rocket.chat rocket.chat
Be the first to know when new medium vulnerabilities affecting rocket.chat rocket.chat are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N Affected Versions
Rocket.Chat / Rocket.Chat
0 < 8.5.0 0 < 8.4.2 0 < 8.3.4 0 < 8.2.4 0 < 8.1.5 0 < 8.0.6 0 < 7.13.8 0 < 7.10.12