CVE-2026-32994
Deferred Deferred - Pending Action

Authenticated Message Content Exposure in Rocket.Chat API

Publication date: 2026-05-19

Last updated on: 2026-05-19

Assigner: HackerOne

Description
The /api/v1/autotranslate.translateMessage endpoint in versions <8.5.0, <8.4.2, <8.3.4, <8.2.4, <8.1.5, <8.0.6, <7.13.8, and <7.10.12 allows any authenticated user to retrieve the full content of any message from any room (private groups, direct messages, channels) by simply providing the target message ID. The endpoint fetches the message via Messages.findOneById(messageId) with no room access check (canAccessRoomIdAsync is never called), returning the complete IMessage object including message text, sender info, room ID, timestamps, and markdown content.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-05-19
Last Modified
2026-05-19
Generated
2026-06-30
AI Q&A
2026-05-19
EPSS Evaluated
2026-06-28
NVD
CVE-2026-32994
EUVD
EUVD-2026-30835

Affected Vendors & Products

Currently, no data is known.

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in the /api/v1/autotranslate.translateMessage endpoint in certain versions of the software prior to 8.5.0 and other specified versions. It allows any authenticated user to retrieve the full content of any message from any room, including private groups, direct messages, and channels, simply by providing the target message ID.

The issue arises because the endpoint fetches the message using Messages.findOneById(messageId) without performing any room access checks (the canAccessRoomIdAsync function is never called). As a result, the complete IMessage object is returned, which includes message text, sender information, room ID, timestamps, and markdown content.

Compliance Impact

This vulnerability allows any authenticated user to retrieve the full content of any message from any room, including private groups and direct messages, without proper access checks.

Such unauthorized access to private and potentially sensitive message content could lead to violations of data privacy and protection regulations such as GDPR and HIPAA, which require strict controls on access to personal and sensitive information.

Therefore, this vulnerability poses a risk to compliance with these common standards by potentially exposing confidential communication data to unauthorized users.

Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive information because any authenticated user can access the full content of messages from any room, including private and direct messages.

  • Exposure of private communications and sensitive data.
  • Potential privacy violations for users whose messages are accessed without permission.
  • Loss of trust in the confidentiality of the messaging platform.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-32994. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart