CVE-2026-32995
Remote Message Content Exposure in Rocket.Chat
Publication date: 2026-05-28
Last updated on: 2026-05-28
Assigner: HackerOne
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| rocket_chat | rocket_chat | to 8.5.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability exists in the Rocket.Chat DDP method autoTranslate.translateMessage in versions prior to 8.5.0 and several earlier versions. This method accepts a client-supplied IMessage object and passes it directly to translateMessage() without verifying the user's identity or their membership in the room.
As a result, any authenticated DDP user can read the content of any message by its ID from any room, including private channels, direct messages, and end-to-end encrypted rooms, by calling this method.
How can this vulnerability impact me? :
This vulnerability allows unauthorized access to private message content. An attacker who is an authenticated user can read messages from any room without being a member of that room.
This can lead to exposure of sensitive or confidential information shared in private channels, direct messages, or even end-to-end encrypted rooms, compromising user privacy and data confidentiality.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves identifying unauthorized calls to the Rocket.Chat DDP method autoTranslate.translateMessage that bypass user authentication and room membership checks.
Since the vulnerability allows any authenticated DDP user to read messages by ID from any room, monitoring for unusual or unauthorized usage of the translateMessage method is key.
You can inspect Rocket.Chat server logs for calls to the translateMessage method and check if requests are coming from users who should not have access to certain messages or rooms.
- Use network traffic analysis tools (e.g., Wireshark or tcpdump) to capture DDP traffic and filter for translateMessage method calls.
- On the server, check logs or enable debug logging to capture calls to translateMessage and verify user IDs and room memberships.
- Example command to monitor logs (assuming logs contain method calls): `grep translateMessage /path/to/rocketchat/logs`
- Use Rocket.Chat's API or database queries to audit message access patterns for anomalies.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update Rocket.Chat to a version that includes the security fix which enforces proper server-side validation for the translateMessage method.
The fix includes verifying user authentication, input validation, message existence, and room membership before allowing message translation.
Until you can update, consider restricting access to the translateMessage method or disabling the auto-translate feature if possible.
Monitor and audit usage of the translateMessage method to detect and respond to unauthorized access attempts.