PatchSiren

Rocket.Chat CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

MEDIUM Rocket.Chat CVE published 2026-05-19

CVE-2026-32994

A missing authorization check in the auto-translation API endpoint allows authenticated users to retrieve message content from any room without access verification. The endpoint fetches messages by ID without validating room membership, exposing private communications.