Description
The /api/v1/autotranslate.translateMessage endpoint in versions <8.5.0, <8.4.2, <8.3.4, <8.2.4, <8.1.5, <8.0.6, <7.13.8, and <7.10.12 allows any authenticated user to retrieve the full content of any message from any room (private groups, direct messages, channels) by simply providing the target message ID. The endpoint fetches the message via Messages.findOneById(messageId) with no room access check (canAccessRoomIdAsync is never called), returning the complete IMessage object including message text, sender info, room ID, timestamps, and markdown content.
Published: 2026-05-19
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The /api/v1/autotranslate.translateMessage endpoint in Rocket.Chat allows any authenticated user to retrieve the complete content of any message in any room, including private groups, direct messages, and channels. The endpoint fetches a message by ID without performing a room access check, returning the full IMessage object with text, sender information, room ID, timestamps, and markdown. This flaw represents a classic improper access control vulnerability (CWE‑284) that can expose confidential communications to any logged‑in user.

Affected Systems

All Rocket.Chat releases prior to 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6, 7.13.8, and 7.10.12 are susceptible.

Risk and Exploitability

The vulnerability carries a CVSS score of 5.3, indicating moderate severity. Although the EPSS score is not available, the attack vector requires authentication, meaning only users who can log into the system can exploit it. The flaw is not listed in CISA’s KEV catalog, and no current public exploitation reports are known. Nevertheless, any compromised or legitimate user could harvest the content of private or sensitive messages, potentially violating confidentiality and privacy requirements.

Generated by OpenCVE AI on May 19, 2026 at 06:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Rocket.Chat to a version equal to or newer than the patched releases listed above.
  • Disable or remove the autotranslate.translateMessage API endpoint if it is not needed in your deployment.
  • Restrict API access by enforcing stricter authentication or scope limits for unauthenticated or low‑privilege users.

Generated by OpenCVE AI on May 19, 2026 at 06:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://hackerone.com/reports/3713682 cve-icon cve-icon
History

Tue, 19 May 2026 06:45:00 +0000

Type Values Removed Values Added
Title Authenticated Message Retrieval via Autotranslate Endpoint in Rocket.Chat
First Time appeared Rocket.chat
Rocket.chat rocket.chat
Vendors & Products Rocket.chat
Rocket.chat rocket.chat

Tue, 19 May 2026 05:00:00 +0000

Type Values Removed Values Added
Description The /api/v1/autotranslate.translateMessage endpoint in versions <8.5.0, <8.4.2, <8.3.4, <8.2.4, <8.1.5, <8.0.6, <7.13.8, and <7.10.12 allows any authenticated user to retrieve the full content of any message from any room (private groups, direct messages, channels) by simply providing the target message ID. The endpoint fetches the message via Messages.findOneById(messageId) with no room access check (canAccessRoomIdAsync is never called), returning the complete IMessage object including message text, sender info, room ID, timestamps, and markdown content.
Weaknesses CWE-284
References
Metrics cvssV3_0

{'score': 5.3, 'vector': 'CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Rocket.chat Rocket.chat
cve-icon MITRE

Status: PUBLISHED

Assigner: hackerone

Published:

Updated: 2026-05-19T04:43:41.777Z

Reserved: 2026-03-17T15:00:07.746Z

Link: CVE-2026-32994

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-19T05:16:23.787

Modified: 2026-05-19T05:16:23.787

Link: CVE-2026-32994

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-19T06:30:35Z

Weaknesses