Message Retrieval Flaw in Popular Chat Application by Vendor
CVE-2026-32994

5.3MEDIUM

Key Information:

Vendor: Rocket.chat
Status: Rocket.chat
Vendor: CVE Published:; 19 May 2026

🔔 Create Rocket.chat Vulnerability Alert

What is CVE-2026-32994?

A significant security issue has been identified in the chat application where the /api/v1/autotranslate.translateMessage endpoint allows any authenticated user to access the full contents of messages from private groups, direct messages, and public channels. This issue arises due to a lack of necessary room access verification when fetching messages, which exposes sensitive information, including message text, sender details, room IDs, timestamps, and markdown content, by merely providing a message ID. Immediate action is recommended to secure the application against potential exploitation.

Affected Version(s)

Rocket.Chat 0 < 8.5.0

Rocket.Chat 0 < 8.4.2

Rocket.Chat 0 < 8.3.4

References

https://hackerone.com/reports/3713682

CVSS V3.0

Score:

5.3

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 19, 2026
Vulnerability Reserved
Mar 17, 2026

CVE-2026-32994 Data

JSON