+- Dark C0d3rs (https://darkcoders.wiki)
+-- Forum: Exploit Log (https://darkcoders.wiki/Forum-Exploit-Log)
+--- Forum: Research Papers/Vulnerability reports (https://darkcoders.wiki/Forum-Research-Papers-Vulnerability-reports)
+--- Thread: HackerOne Disclosed Reports - 2026-05-17 (/Thread-HackerOne-Disclosed-Reports-2026-05-17)
HackerOne disclosed reports - 2026-05-17 - hashXploiter - 05-18-2026
Medium
resolved
resolved
IDOR: autotranslate.translateMessage Full Message Content Leak
Bug reported by Josan was disclosed at May 18, 2026, 12:37 am | Insecure Direct Object Reference (IDOR)
The `/api/v1/autotranslate.translateMessage` endpoint allowed any authenticated user to retrieve the full content of any message from any room, including private groups, direct messages, and channels. The endpoint fetched the message without performing a room access check, returning the complete message object including the message text, sender information, room ID, timestamps, and markdown content.