Rocket.Chat Autotranslate Endpoint Message Content Disclosure Vulnerability

A vulnerability exists in the Rocket.Chat autotranslate feature, specifically within the 'translateMessage' endpoint of the API. This issue is present in versions prior to 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6, 7.13.8, and 7.10.12. The vulnerability allows any authenticated user to access the full content of messages from any room, including private groups, direct messages, and channels. This is achieved by providing the message ID to the endpoint, which retrieves the message without performing a room access check. The response includes the complete IMessage object, containing the message text, sender information, room ID, timestamps, and markdown content.

Impact

Exploitation of this vulnerability leads to unauthorized access to private message content, including direct messages, private group messages, and channel messages, for any authenticated user.