CVE-2026-32995 Overview
CVE-2026-32995 is a broken access control vulnerability [CWE-284] in Rocket.Chat. The Distributed Data Protocol (DDP) method autoTranslate.translateMessage accepts a client-supplied IMessage object and forwards it directly to translateMessage(). The method does not validate Meteor.userId() and does not verify room membership. Any authenticated DDP user can read message content from any room by message ID, including private channels, direct messages, and end-to-end encrypted (E2EE) rooms.
Critical Impact
Authenticated users can exfiltrate messages from private, direct, and E2EE rooms without membership, breaking the confidentiality model of Rocket.Chat.
Affected Products
- Rocket.Chat versions earlier than 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.5
- Rocket.Chat versions earlier than 7.13.8
- Rocket.Chat versions earlier than 7.10.12
Discovery Timeline
- 2026-05-28 - CVE CVE-2026-32995 published to NVD
- 2026-05-28 - Last updated in NVD database
Technical Details for CVE-2026-32995
Vulnerability Analysis
The flaw resides in the autoTranslate.translateMessage DDP method exposed by the Rocket.Chat server. The method is designed to translate a message into a target language and return the translated text. The handler trusts the IMessage object passed by the client and invokes translateMessage() directly. No session validation, no role check, and no room membership lookup occur before the call.
Because the translation routine reads the message content by ID, an attacker can supply only the message identifier. The server fetches the underlying message and returns its content within the translation response. This applies to private channels, direct messages, and E2EE rooms where ciphertext is stored server-side.
Root Cause
The root cause is missing authorization enforcement on a sensitive DDP method. The method assumes the caller has already passed access checks performed elsewhere in the stack. Those checks are absent for autoTranslate.translateMessage, allowing the call to bypass standard room ACL evaluation.
Attack Vector
Exploitation requires only a valid authenticated DDP session, which any registered Rocket.Chat user can obtain. The attacker connects to the DDP endpoint over the network and invokes autoTranslate.translateMessage with a target message identifier. The server returns message content that the user is not authorized to read. No user interaction by the victim is required. Verified code is not published in the references; see the GitHub Pull Request and HackerOne Security Report for technical details.
Detection Methods for CVE-2026-32995
Indicators of Compromise
- DDP method calls to autoTranslate.translateMessage from accounts that are not members of the target room.
- High-volume or scripted invocations of autoTranslate.translateMessage from a single session enumerating message IDs.
- Translation requests targeting messages in private channels, DMs, or E2EE rooms by non-members.
Detection Strategies
- Parse Rocket.Chat application logs for method entries equal to autoTranslate.translateMessage and correlate the calling userId with room membership records in MongoDB.
- Alert on translation activity that targets messages located in rooms where the caller is not a participant.
- Baseline normal autoTranslate usage per account and flag deviations exceeding the baseline.
Monitoring Recommendations
- Forward Rocket.Chat DDP and accounts logs to a centralized SIEM for correlation across sessions and rooms.
- Monitor outbound traffic from Rocket.Chat servers for anomalous translation API usage that may indicate scripted exploitation.
- Review audit logs for unusual access patterns by recently created or low-privilege accounts.
How to Mitigate CVE-2026-32995
Immediate Actions Required
- Upgrade Rocket.Chat to a fixed release on your maintenance branch: 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.5, 7.13.8, or 7.10.12.
- Restrict account creation and review existing low-privilege accounts that could be used to authenticate to DDP.
- Audit recent calls to autoTranslate.translateMessage and identify any cross-room access by non-members.
Patch Information
The vendor fix is tracked in the GitHub Pull Request. The patch adds caller identity and room membership verification before invoking translateMessage(). Additional context is available in the HackerOne Security Report.
Workarounds
- Disable the AutoTranslate feature at the workspace level until the patch is applied.
- Block or rate-limit DDP traffic to the autoTranslate.translateMessage method at a reverse proxy or WAF where feasible.
- Rotate authentication tokens and force re-login for users after upgrading to invalidate any sessions used for exploitation.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
