Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
3DescriptionCVE.org
The Rocket.Chat DDP method autoTranslate.translateMessage in versions <8.5.0, <8.4.2, <8.3.4, <8.2.4, <8.1.5, <8.0.5, <7.13.8, and <7.10.12 accepts a client-supplied IMessage object and passes it directly to translateMessage() without checking Meteor.userId() or verifying room membership. Any authenticated DDP user can read the content of any message by ID from any room (private channels, DMs, E2EE rooms) by calling this method.
AnalysisAI
Cross-room message disclosure in Rocket.Chat allows any authenticated DDP user to read arbitrary messages - including those in private channels, direct messages, and E2EE rooms - by invoking the autoTranslate.translateMessage Meteor method with a target message ID. The flaw stems from missing access control and identity checks in the server-side method handler, with an upstream fix merged in PR #40528. No public exploit identified at time of analysis, though the trivial DDP call pattern makes weaponization straightforward.
Technical ContextAI
Rocket.Chat is an open-source team collaboration platform built on the Meteor framework, which exposes server methods to clients via the DDP (Distributed Data Protocol) websocket protocol. The vulnerable code path is apps/meteor/app/autotranslate/server/methods/translateMessage.ts, where the method previously accepted a client-supplied IMessage object and forwarded it directly to translateMessage() without calling Meteor.userId() to confirm the caller's identity, without type-checking the message ID, and without invoking canAccessRoomAsync() to verify the caller is a member of the room containing the message. This is a textbook CWE-284 (Improper Access Control) failure: the server trusted client-provided object structure and treated the input as a read-through key to MongoDB rather than an authorization-gated lookup. Because Meteor methods can be invoked directly over DDP outside the normal UI flow, the missing checks expose the full message corpus including private channels, DMs, and even messages stored from E2EE rooms (where ciphertext is still server-side and may be cached/translated).
RemediationAI
Vendor-released patch: upgrade to Rocket.Chat 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.5, 7.13.8, or 7.10.12 (whichever matches your release line), which incorporate the access-control fix from https://github.com/RocketChat/Rocket.Chat/pull/40528 that adds Meteor.userId() validation, type-checks message._id with meteor/check, re-fetches the message server-side, and gates translation behind canAccessRoomAsync(). If immediate patching is not possible, compensating controls include disabling the AutoTranslate feature globally via the AutoTranslate_Enabled setting (side effect: legitimate users lose in-product translation), restricting account creation by disabling open self-registration (Accounts_RegistrationForm) to shrink the attacker pool to existing users, and placing the Rocket.Chat instance behind a network-level allowlist or VPN if external access is not required (side effect: blocks legitimate remote users). Monitor server logs for high-volume calls to the autoTranslate.translateMessage DDP method from individual sessions as a detection signal.
More in Rocket Chat
View allA sanitization vulnerability exists in Rocket.Chat server versions <3.13.2, <3.12.4, <3.11.4 that allowed queries to an
A improper input sanitization vulnerability exists in Rocket.Chat server 3.11, 3.12 & 3.13 that could lead to unauthenti
A improper authentication vulnerability exists in Rocket.Chat <v5, <v4.8.2 and <v4.7.5 that allowed two factor authentic
A SQL injection vulnerability exists in Rocket.Chat <v3.18.6, <v4.4.4 and <v4.7.3 which can allow an attacker to retriev
A Server-Side Request Forgery (SSRF) affects Rocket.Chat's Twilio webhook endpoint before version 6.10.1. Rated high sev
An information disclosure vulnerability exists in the Rocket.Chat server fixed v3.13, v3.12.2 & v3.11.3 that allowed ema
An improper authentication vulnerability exists in Rocket.Chat Mobile App <4.14.1.22788 that allowed an attacker with ph
A cleartext transmission of sensitive information exists in Rocket.Chat <v5, <v4.8.2 and <v4.7.5 relating to Oauth token
An information disclosure vulnerability exists in Rocket.Chat <v5 due to the getUserMentionsByChannel meteor server meth
Rocket.Chat is an open-source fully customizable communications platform developed in JavaScript. Rated medium severity
Rocket.Chat through 3.4.2 allows XSS where an attacker can send a specially crafted message to a channel or in a direct
Rocket.Chat before 2.1.0 allows XSS via a URL on a ![title] line. Rated medium severity (CVSS 6.1), this vulnerability i
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32711
GHSA-2v6f-4wc2-p3hq