CVE-2026-32994 Rocket.Chat CVE debrief

Who should care

Organizations running affected versions of this messaging platform with confidential communications requirements; security teams monitoring for insider threats or unauthorized data access; compliance officers responsible for message privacy controls.

Technical summary

The /api/v1/autotranslate.translateMessage endpoint fails to verify room access before returning message content. The Messages.findOneById() lookup executes without canAccessRoomIdAsync validation, returning complete IMessage objects including text, sender metadata, room IDs, and timestamps. Any authenticated user with a valid message ID can retrieve content from private groups, direct messages, and channels regardless of membership. The vulnerability affects multiple version branches prior to May 2026 patches.

Defensive priority

medium

Recommended defensive actions

• Upgrade to patched versions: 8.5.0+, 8.4.2+, 8.3.4+, 8.2.4+, 8.1.5+, 8.0.6+, 7.13.8+, or 7.10.12+
• Review API endpoints for missing canAccessRoomIdAsync checks
• Audit message retrieval endpoints for authorization gaps
• Monitor access logs for unusual message ID enumeration patterns
• Implement defense-in-depth with additional authorization middleware for sensitive endpoints

Evidence notes

NVD record published 2026-05-19 with CVSS 5.3 (MEDIUM). HackerOne report 3713682 identified as source. Affected versions span multiple release branches: <8.5.0, <8.4.2, <8.3.4, <8.2.4, <8.1.5, <8.0.6, <7.13.8, <7.10.12. CWE-284 (Improper Access Control) assigned.

Official resources