What is the CVSS score of CVE-2026-32995?

CVE-2026-32995 has a CVSS 3.0 base score of 7.5 (High). CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. EPSS exploitation probability: 0.0%.

Which versions of Rocket.Chat are affected by CVE-2026-32995?

Rocket.Chat deployments are exposed to unauthorized message disclosure (CVE-2026-32995, CVSS 7.5), where any authenticated user can read messages from all channels regardless of access permissions,…. A patch is available.

Rocket.Chat CVE-2026-32995

Q: How to fix or mitigate CVE-2026-32995?

Within 24 hours: identify all Rocket.Chat deployments and document their versions for vulnerability status. Within 7 days: contact Rocket.Chat support for release timeline of a patched version and implement access logging on the autoTranslate method. Within 30 days: apply vendor-released patch immediately upon availability or upgrade to patched version; audit recent message access logs for unauthorized message retrieval patterns.

EUVD-2026-32711 HIGH

Improper Access Control (CWE-284)

2026-05-28 hackerone

GHSA-2v6f-4wc2-p3hq

Authentication Bypass

7.5

CVSS 3.0

CVSS VectorNVD

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Lifecycle Timeline

Patch available

May 28, 2026 - 06:01 EUVD

Source Code Evidence Fetched

May 28, 2026 - 05:02 vuln.today

Analysis Generated

May 28, 2026 - 05:02 vuln.today

DescriptionNVD

The Rocket.Chat DDP method autoTranslate.translateMessage in versions <8.5.0, <8.4.2, <8.3.4, <8.2.4, <8.1.5, <8.0.5, <7.13.8, and <7.10.12 accepts a client-supplied IMessage object and passes it directly to translateMessage() without checking Meteor.userId() or verifying room membership. Any authenticated DDP user can read the content of any message by ID from any room (private channels, DMs, E2EE rooms) by calling this method.

AnalysisAI

Cross-room message disclosure in Rocket.Chat allows any authenticated DDP user to read arbitrary messages - including those in private channels, direct messages, and E2EE rooms - by invoking the autoTranslate.translateMessage Meteor method with a target message ID. The flaw stems from missing access control and identity checks in the server-side method handler, with an upstream fix merged in PR #40528. …

RemediationAI

Within 24 hours: identify all Rocket.Chat deployments and document their versions for vulnerability status. Within 7 days: contact Rocket.Chat support for release timeline of a patched version and implement access logging on the autoTranslate method. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-32995 vulnerability details – vuln.today

Back

Rocket.Chat CVE-2026-32995

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code