Vulnerability in Rocket.Chat’s AutoTranslate Feature Allows Message Disclosure
CVE-2026-32995

7.5HIGH

Key Information:

Vendor: Rocket.chat
Status: Rocket.chat
Vendor: CVE Published:; 28 May 2026

🔔 Create Rocket.chat Vulnerability Alert

What is CVE-2026-32995?

A security flaw exists in Rocket.Chat's autoTranslate.translateMessage function, found in multiple older versions, where it accepts a user-provided IMessage object without appropriate checks. This oversight allows any authenticated DDP user to access message contents from any room, including private channels and end-to-end encrypted messages, potentially leading to unauthorized information exposure.

Affected Version(s)

Rocket.Chat 8.5.0

Rocket.Chat 8.4.0 < 8.4.2

Rocket.Chat 8.3.0 < 8.3.4

References

https://hackerone.com/reports/3734326

https://github.com/RocketChat/Rocket.Chat/pull/40528

CVSS V3.0

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 28, 2026
Vulnerability Reserved
Mar 17, 2026

CVE-2026-32995 Data

JSON