Skip to main content

Rocket.Chat EUVDEUVD-2026-32711

| CVE-2026-32995 HIGH
Improper Access Control (CWE-284)
2026-05-28 hackerone GHSA-2v6f-4wc2-p3hq
7.5
CVSS 3.0 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

3
Patch available
May 28, 2026 - 06:01 EUVD
Source Code Evidence Fetched
May 28, 2026 - 05:02 vuln.today
Analysis Generated
May 28, 2026 - 05:02 vuln.today

DescriptionCVE.org

The Rocket.Chat DDP method autoTranslate.translateMessage in versions <8.5.0, <8.4.2, <8.3.4, <8.2.4, <8.1.5, <8.0.5, <7.13.8, and <7.10.12 accepts a client-supplied IMessage object and passes it directly to translateMessage() without checking Meteor.userId() or verifying room membership. Any authenticated DDP user can read the content of any message by ID from any room (private channels, DMs, E2EE rooms) by calling this method.

AnalysisAI

Cross-room message disclosure in Rocket.Chat allows any authenticated DDP user to read arbitrary messages - including those in private channels, direct messages, and E2EE rooms - by invoking the autoTranslate.translateMessage Meteor method with a target message ID. The flaw stems from missing access control and identity checks in the server-side method handler, with an upstream fix merged in PR #40528. No public exploit identified at time of analysis, though the trivial DDP call pattern makes weaponization straightforward.

Technical ContextAI

Rocket.Chat is an open-source team collaboration platform built on the Meteor framework, which exposes server methods to clients via the DDP (Distributed Data Protocol) websocket protocol. The vulnerable code path is apps/meteor/app/autotranslate/server/methods/translateMessage.ts, where the method previously accepted a client-supplied IMessage object and forwarded it directly to translateMessage() without calling Meteor.userId() to confirm the caller's identity, without type-checking the message ID, and without invoking canAccessRoomAsync() to verify the caller is a member of the room containing the message. This is a textbook CWE-284 (Improper Access Control) failure: the server trusted client-provided object structure and treated the input as a read-through key to MongoDB rather than an authorization-gated lookup. Because Meteor methods can be invoked directly over DDP outside the normal UI flow, the missing checks expose the full message corpus including private channels, DMs, and even messages stored from E2EE rooms (where ciphertext is still server-side and may be cached/translated).

RemediationAI

Vendor-released patch: upgrade to Rocket.Chat 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.5, 7.13.8, or 7.10.12 (whichever matches your release line), which incorporate the access-control fix from https://github.com/RocketChat/Rocket.Chat/pull/40528 that adds Meteor.userId() validation, type-checks message._id with meteor/check, re-fetches the message server-side, and gates translation behind canAccessRoomAsync(). If immediate patching is not possible, compensating controls include disabling the AutoTranslate feature globally via the AutoTranslate_Enabled setting (side effect: legitimate users lose in-product translation), restricting account creation by disabling open self-registration (Accounts_RegistrationForm) to shrink the attacker pool to existing users, and placing the Rocket.Chat instance behind a network-level allowlist or VPN if external access is not required (side effect: blocks legitimate remote users). Monitor server logs for high-volume calls to the autoTranslate.translateMessage DDP method from individual sessions as a detection signal.

CVE-2021-22910 CRITICAL POC
9.8 Aug 09

A sanitization vulnerability exists in Rocket.Chat server versions <3.13.2, <3.12.4, <3.11.4 that allowed queries to an

CVE-2021-22911 CRITICAL POC
9.8 May 27

A improper input sanitization vulnerability exists in Rocket.Chat server 3.11, 3.12 & 3.13 that could lead to unauthenti

CVE-2022-35248 HIGH POC
8.8 Sep 23

A improper authentication vulnerability exists in Rocket.Chat <v5, <v4.8.2 and <v4.7.5 that allowed two factor authentic

CVE-2022-32211 HIGH POC
8.8 Sep 23

A SQL injection vulnerability exists in Rocket.Chat <v3.18.6, <v4.4.4 and <v4.7.3 which can allow an attacker to retriev

CVE-2024-39713 HIGH POC
8.6 Aug 05

A Server-Side Request Forgery (SSRF) affects Rocket.Chat's Twilio webhook endpoint before version 6.10.1. Rated high sev

CVE-2021-22892 HIGH POC
7.5 May 27

An information disclosure vulnerability exists in the Rocket.Chat server fixed v3.13, v3.12.2 & v3.11.3 that allowed ema

CVE-2022-30124 MEDIUM POC
6.8 Sep 23

An improper authentication vulnerability exists in Rocket.Chat Mobile App <4.14.1.22788 that allowed an attacker with ph

CVE-2022-32227 MEDIUM POC
6.5 Sep 23

A cleartext transmission of sensitive information exists in Rocket.Chat <v5, <v4.8.2 and <v4.7.5 relating to Oauth token

CVE-2022-32220 MEDIUM POC
6.5 Sep 23

An information disclosure vulnerability exists in Rocket.Chat <v5 due to the getUserMentionsByChannel meteor server meth

CVE-2021-32832 MEDIUM POC
6.5 Aug 30

Rocket.Chat is an open-source fully customizable communications platform developed in JavaScript. Rated medium severity

CVE-2020-15926 MEDIUM POC
6.1 Aug 18

Rocket.Chat through 3.4.2 allows XSS where an attacker can send a specially crafted message to a channel or in a direct

CVE-2019-17220 MEDIUM POC
6.1 Oct 21

Rocket.Chat before 2.1.0 allows XSS via a URL on a ![title] line. Rated medium severity (CVSS 6.1), this vulnerability i

Share

EUVD-2026-32711 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy