PatchSiren cyber security CVE debrief

CVE-2026-32995 Rocket.Chat CVE debrief

## Summary Rocket.Chat versions prior to 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.5, 7.13.8, and 7.10.12 contain an insecure direct object reference (IDOR) vulnerability in the DDP method `autoTranslate.translateMessage`. The method accepts a client-supplied `IMessage` object and passes it directly to `translateMessage()` without validating `Meteor.userId()` or verifying room membership. This allows any authenticated DDP user to read message content by ID from any room, including private channels, direct messages, and end-to-end encrypted (E2EE) rooms. ## Technical Details The vulnerability exists in the Distributed Data Protocol (DDP) implementation of Rocket.Chat's auto-translation feature. DDP is Meteor's real-time data synchronization protocol used for client-server communication. The `autoTranslate.translateMessage` method fails to implement proper authorization checks before processing translation requests. The attack flow is straightforward: 1. An authenticated attacker identifies a target message ID (through enumeration, leaked references, or other means) 2. The attacker invokes the `autoTranslate.translateMessage` DDP method with the target message ID 3. The server retrieves and returns the message content without verifying the caller's access rights to the containing room This represents a classic IDOR pattern where object-level authorization is missing at the method entry point. The CVSS 3.0 vector `AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N` reflects network accessibility, low attack complexity, no required privileges beyond authentication, no user interaction, and high confidentiality impact with no integrity or availability impact. ## Affected Versions - All versions prior to 8.5.0 - All versions prior to 8.4.2 - All versions prior to 8.3.4 - All versions prior to 8.2.4 - All versions prior to 8.1.5 - All versions prior to 8.0.5 - All versions prior to 7.13.8 - All versions prior to 7.10.12 ## Impact Successful exploitation allows authenticated attackers to: - Read arbitrary messages from private channels without membership - Access direct message conversations between other users - Retrieve content from E2EE rooms (though the cryptographic layer,

Vendor: Rocket.Chat
Product: Unknown
CVSS: HIGH 7.5
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-05-28
Original CVE updated: 2026-05-28
Advisory published: 2026-05-28
Advisory updated: 2026-05-28

Who should care

Rocket.Chat administrators, security teams managing self-hosted chat platforms, organizations relying on Rocket.Chat for sensitive communications including E2EE rooms, and compliance officers responsible for communication platform data access controls.

Technical summary

The `autoTranslate.translateMessage` DDP method in affected Rocket.Chat versions lacks authorization checks, allowing authenticated users to retrieve arbitrary message content by ID regardless of room membership or privacy settings.

Defensive priority

HIGH

Recommended defensive actions

Upgrade Rocket.Chat to patched versions: 8.5.0+, 8.4.2+, 8.3.4+, 8.2.4+, 8.1.5+, 8.0.5+, 7.13.8+, or 7.10.12+
If immediate patching is not possible, consider disabling the auto-translation feature entirely
Review DDP method implementations for similar missing authorization patterns
Monitor DDP method invocation logs for anomalous `autoTranslate.translateMessage` calls accessing messages outside expected user contexts
Implement network-level access controls to restrict DDP endpoint exposure to authorized clients only

Evidence notes

Vulnerability disclosed via HackerOne report 3734326. Fix implemented in GitHub pull request 40528. CWE-284 (Improper Access Control) classification from HackerOne. CVSS 3.0 score 7.5 (HIGH) with vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N.

Official resources

2026-05-28