CVE-2026-32994 Overview
CVE-2026-32994 is a broken access control vulnerability in the /api/v1/autotranslate.translateMessage endpoint. Any authenticated user can retrieve the full content of any message from any room, including private groups, direct messages, and channels. The endpoint accepts a target message ID and returns the complete IMessage object without verifying that the caller has access to the room containing the message. Affected versions include releases prior to 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6, 7.13.8, and 7.10.12.
Critical Impact
Authenticated attackers can exfiltrate confidential messages from private channels and direct messages by enumerating or guessing message IDs, exposing message text, sender identity, room ID, timestamps, and markdown content.
Affected Products
- Versions prior to 8.5.0
- Versions prior to 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6
- Versions prior to 7.13.8 and 7.10.12
Discovery Timeline
- 2026-05-19 - CVE-2026-32994 published to NVD
- 2026-05-19 - Last updated in NVD database
Technical Details for CVE-2026-32994
Vulnerability Analysis
The vulnerability resides in the /api/v1/autotranslate.translateMessage REST endpoint. The handler fetches messages with Messages.findOneById(messageId) and returns the complete message object to the caller. The endpoint never invokes canAccessRoomIdAsync, the standard authorization helper used to verify whether the requesting user is a member of the room containing the message. As a result, authentication alone is sufficient to read any message in the system, including messages in private groups and direct messages that the caller is not a participant in. This weakness is classified under [CWE-284] Improper Access Control.
Root Cause
The root cause is a missing authorization check on a server-side translation endpoint. Authentication and authorization were conflated: the endpoint validates the caller's session but does not validate the caller's relationship to the target room. The returned IMessage object exposes message text, sender information, room ID, timestamps, and markdown content, so a single request leaks complete message context.
Attack Vector
Exploitation requires only a valid authenticated session. An attacker iterates or harvests message IDs and issues POST requests to /api/v1/autotranslate.translateMessage with each ID. Message IDs leaked through other channels, reply references, link previews, or sequential enumeration provide ready inputs. Each successful response yields the full message content regardless of room membership. The attack does not require elevated privileges or user interaction.
No verified proof-of-concept code is published. See the HackerOne Report #3713682 for technical details.
Detection Methods for CVE-2026-32994
Indicators of Compromise
- High-volume POST requests to /api/v1/autotranslate.translateMessage from a single authenticated user
- Requests to the endpoint referencing message IDs from rooms the caller is not a member of
- Sequential or scripted patterns of message ID values in request bodies
- Sudden growth in outbound response size from the translation API
Detection Strategies
- Correlate API access logs with room membership records to flag translation requests for rooms the user does not belong to
- Baseline normal autotranslate.translateMessage usage per account and alert on volume anomalies
- Inspect application logs for Messages.findOneById calls originating from the translation endpoint without preceding access checks
Monitoring Recommendations
- Forward server access logs and application audit logs to a centralized SIEM for correlation
- Track per-user request rates against the translation endpoint and trigger alerts above defined thresholds
- Review authentication telemetry for compromised or newly created accounts probing the endpoint
How to Mitigate CVE-2026-32994
Immediate Actions Required
- Upgrade to a fixed release: 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6, 7.13.8, or 7.10.12 or later in the applicable branch
- Audit historical access logs for the /api/v1/autotranslate.translateMessage endpoint to identify prior abuse
- Rotate or revoke API tokens for accounts exhibiting suspicious access patterns
Patch Information
Upgrade to the fixed versions listed in the vulnerability description. The fix introduces a room access check via canAccessRoomIdAsync before the message is fetched and returned. Refer to the HackerOne Report #3713682 for additional context.
Workarounds
- Disable the auto-translate feature at the server level until patches are applied
- Restrict network access to the API to trusted clients via reverse proxy rules blocking /api/v1/autotranslate.translateMessage
- Apply rate limiting on the endpoint to reduce the feasibility of mass message ID enumeration
# Example reverse proxy block (nginx) to deny the vulnerable endpoint until patched
location = /api/v1/autotranslate.translateMessage {
return 403;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
