The Rocket.Chat method autoTranslate.translateMessage accepts a client‑supplied message object and directly passes it to the translation function without verifying the caller’s Meteor.userId() or confirming the user’s membership in the target room. This lack of access control allows any authenticated DDP user to request the content of any message by ID, regardless of whether the message resides in a private channel, direct message, or end‑to‑end encrypted room. The vulnerability results in a clear information disclosure and compromises confidentiality.

Versions of Rocket.Chat earlier than 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.5, 7.13.8, or 7.10.12 are vulnerable. Users of the affected Rocket.Chat platform should verify that their installations fall within any of these version ranges and plan an upgrade accordingly.

The reported CVSS score of 7.5 indicates a high severity. EPSS information is not available, and the vulnerability is not listed in the CISA KEV catalog. Attackers only need to authenticate to the Rocket.Chat instance and invoke the autoTranslate.translateMessage DDP method, making exploitation straightforward. Given the lack of an additional privilege escalation step, the potential impact is limited only by the attacker’s authenticated access, yet it allows full read access to all messages on the server.