PT-2026-44173 · Rocket.Chat+1 · Rocket.Chat

CVE-2026-32995

·

Published

2026-05-28

·

Updated

2026-05-28

CVSS v3.1

7.5

High

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Name of the Vulnerable Software and Affected Versions Rocket.Chat versions prior to 8.5.0 Rocket.Chat versions prior to 8.4.2 Rocket.Chat versions prior to 8.3.4 Rocket.Chat versions prior to 8.2.4 Rocket.Chat versions prior to 8.1.5 Rocket.Chat versions prior to 8.0.5 Rocket.Chat versions prior to 7.13.8 Rocket.Chat versions prior to 7.10.12
Description The DDP method autoTranslate.translateMessage() accepts a client-supplied IMessage object and processes it without verifying the Meteor.userId() or confirming the user's membership in the room. This allows any authenticated DDP user to read the content of any message by its ID from any room, including private channels, direct messages (DMs), and end-to-end encrypted (E2EE) rooms.
Recommendations Update to version 8.5.0 or later. Update to version 8.4.2 or later. Update to version 8.3.4 or later. Update to version 8.2.4 or later. Update to version 8.1.5 or later. Update to version 8.0.5 or later. Update to version 7.13.8 or later. Update to version 7.10.12 or later. As a temporary mitigation, restrict access to the autoTranslate.translateMessage() method.

Exploit

Fix

Improper Access Control

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-32995

Affected Products

Rocket.Chat