How is CVE-2026-32995 exploited?

Network reachability (required): The DDP endpoint is exposed over the network, so an attacker must be able to reach the Rocket.Chat service remotely. Authentication (required): Any low-privilege authenticated DDP account is sufficient; no administrative or special role is needed. Victim interaction (not-required): The attacker calls the DDP method directly and does not require any action from another user. Attack complexity (info): The exploit is reliable and condition-free: calling the unguarded DDP method with a known message ID consistently returns message content.

What is the impact of CVE-2026-32995?

An attacker reads the full plaintext content of any message in any Rocket.Chat room by supplying only a message ID. Private channels and direct messages are equally exposed, bypassing any channel-level access restrictions. End-to-end encrypted (E2EE) room messages are accessible, undermining the confidentiality guarantee those rooms are intended to provide. No data is modified and no service disruption occurs; impact is limited to confidentiality of stored message content.

Back to search

HIGHCVE-2026-32995Published 2026-05-28Modified 2026-05-28CNA hackerone

CVE-2026-32995: The Rocket

Q: What is CVE-2026-32995?

This is an authorization bypass (missing access control) in the Rocket.Chat DDP method autoTranslate.translateMessage. The vulnerability is reachable over the network by any authenticated user, with no elevated privileges required. A successful attacker reads the plaintext content of any message by ID across all room types, including private channels, direct messages, and end-to-end encrypted rooms. Patched-image rebuilds at versions 7.10.12, 7.13.8, 8.0.6, 8.1.5, and 8.2.4 are available on HarborGuard for environments running an affected version.

Q: How is CVE-2026-32995 fixed?

A patched-image rebuild at each of the fix versions (7.10.12, 7.13.8, 8.0.6, 8.1.5, 8.2.4) becomes available through HarborGuard for any environment running an affected release. For customers who opt into auto-remediation, HarborGuard rebuilds the image, runs the regression test suite, and opens a pull request against affected workloads automatically.

The Rocket.Chat DDP method autoTranslate.translateMessage in versions <8.5.0, <8.4.2, <8.3.4, <8.2.4, <8.1.5, <8.0.5, <7.13.8, and <7.10.12 accepts a client-supplied IMessage object and passes it directly to translateMessage() without checking Meteor.userId() or verifying room membership. Any authenticated DDP user can read the content of any message by ID from any room (private channels, DMs, E2EE rooms) by calling this method.

HarborGuard Analysis

HarborGuard analysis

Synopsis

This is an authorization bypass (missing access control) in the Rocket.Chat DDP method autoTranslate.translateMessage. The vulnerability is reachable over the network by any authenticated user, with no elevated privileges required. A successful attacker reads the plaintext content of any message by ID across all room types, including private channels, direct messages, and end-to-end encrypted rooms. Patched-image rebuilds at versions 7.10.12, 7.13.8, 8.0.6, 8.1.5, and 8.2.4 are available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-32995 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images in connected registries and CI pipelines, including custom-built Rocket.Chat images. This coverage applies regardless of whether the image originates from an upstream registry or a customer-maintained build.

Available

Triage

HarborGuard is capable of scoring this CVE at CVSS 7.5 (HIGH) and weighting that score against each environment's compliance policy to determine urgency and routing. Triage results are routed to the appropriate team inbox within each customer organization based on the affected workload's ownership metadata.

Available

Patch

A patched-image rebuild at each of the fix versions (7.10.12, 7.13.8, 8.0.6, 8.1.5, 8.2.4) becomes available through HarborGuard for any environment running an affected release. For customers who opt into auto-remediation, HarborGuard rebuilds the image, runs the regression test suite, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The DDP endpoint is exposed over the network, so an attacker must be able to reach the Rocket.Chat service remotely.
AuthenticationRequired
Any low-privilege authenticated DDP account is sufficient; no administrative or special role is needed.
Victim interactionNot required
The attacker calls the DDP method directly and does not require any action from another user.
Attack complexityDetail
The exploit is reliable and condition-free: calling the unguarded DDP method with a known message ID consistently returns message content.

Blast Radius

An attacker reads the full plaintext content of any message in any Rocket.Chat room by supplying only a message ID.
Private channels and direct messages are equally exposed, bypassing any channel-level access restrictions.
End-to-end encrypted (E2EE) room messages are accessible, undermining the confidentiality guarantee those rooms are intended to provide.
No data is modified and no service disruption occurs; impact is limited to confidentiality of stored message content.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-32995 is active across all connected environments the moment the CVE enters the upstream feeds. For environments running any affected Rocket.Chat version, a patched-image rebuild at the appropriate fix version (7.10.12, 7.13.8, 8.0.6, 8.1.5, or 8.2.4) is available for promotion. Where compliance policy permits auto-remediation, HarborGuard rebuilds the image at the target fix version, executes the regression test run, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled. For environments where auto-remediation is not enabled, the triage finding is routed to the responsible team inbox with CVSS scoring and affected-image details so the team can act manually. As an interim compensating control before patching, consider applying network policy to restrict DDP endpoint access to authenticated internal networks only, reducing exposure to external or lateral attackers.

See how HarborGuard automates this

CVSS v3.0: 7.5
Severity: HIGH
Fixed in: 7.10.12
Affected Products: 1

Fix available

7.10.127.13.88.0.68.1.58.2.48.3.48.4.28.5.0

Affected packages

Rocket.Chat / Rocket.Chat
< 8.5.0 (from 8.5.0) · < 8.4.2 (from 8.4.0) · < 8.3.4 (from 8.3.0) · < 8.2.4 (from 8.2.0) · < 8.1.5 (from 8.1.0) · < 8.0.6 (from 8.0.0)

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Metrics

Fix available