CVE-2026-24332
Unknown Unknown - Not Provided
Information Disclosure in Discord WebSocket API Reveals Invisible Users

Publication date: 2026-01-22

Last updated on: 2026-01-22

Assigner: MITRE

Description
Discord through 2026-01-16 allows gathering information about whether a user's client state is Invisible (and not actually offline) because the response to a WebSocket API request includes the user in the presences array (with "status": "offline"), whereas offline users are omitted from the presences array. This is arguably inconsistent with the UI description of Invisible as "You will appear offline."
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-22
Last Modified
2026-01-22
Generated
2026-06-16
AI Q&A
2026-01-22
EPSS Evaluated
2026-06-15
NVD
CVE-2026-24332
EUVD
EUVD-2026-4170
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
discord discord *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-204 The product provides different responses to incoming requests in a way that reveals internal state information to an unauthorized actor outside of the intended control sphere.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided resources do not specify how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

This vulnerability in Discord's WebSocket API allows an observer to detect whether a user is actually invisible rather than offline. The API includes invisible users in the presences array with a status set to "offline," while truly offline users are omitted entirely. This discrepancy leaks information about a user's real presence state, despite the UI showing invisible users as offline. [1]

Impact Analysis

This vulnerability can impact you by leaking your true online presence status. Even if you set your status to invisible to appear offline, an observer can determine that you are actually connected and active, potentially compromising your privacy. [1]

Detection Guidance

This vulnerability can be detected by monitoring Discord's WebSocket API responses, specifically by inspecting the `presences` array in the data received. If a user appears in the `presences` array with a status field set to "offline" but still has a presence object (including user ID, empty `client_status`, and empty `activities`), it indicates the user is actually Invisible rather than offline. Commands to detect this would involve capturing and analyzing WebSocket traffic to Discord, for example using tools like `websocat` or `wscat` to connect to the WebSocket API and then parsing the JSON responses for the `presences` array to check for these conditions. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-24332. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart