Dark C0d3rs

Dark C0d3rs > Exploit Log > Research Papers/Vulnerability reports > HackerOne Disclosed Reports - 2026-05-17
Full Version: HackerOne Disclosed Reports - 2026-05-17
You're currently viewing a stripped down version of our content. View the full version with proper formatting.

hashXploiter

Yesterday, 12:30 PM
Logo
Medium
resolved

IDOR: autotranslate.translateMessage Full Message Content Leak


Bug reported by Josan was disclosed at May 18, 2026, 12:37 am   |   Insecure Direct Object Reference (IDOR)

The `/api/v1/autotranslate.translateMessage` endpoint allowed any authenticated user to retrieve the full content of any message from any room, including private groups, direct messages, and channels. The endpoint fetched the message without performing a room access check, returning the complete message object including the message text, sender information, room ID, timestamps, and markdown content.


Dark C0d3rs > Exploit Log > Research Papers/Vulnerability reports > HackerOne Disclosed Reports - 2026-05-17