{"dataType": "CVE_RECORD", "cveMetadata": {"cveId": "CVE-2026-24332", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "state": "PUBLISHED", "assignerShortName": "mitre", "dateReserved": "2026-01-22T08:10:44.192Z", "datePublished": "2026-01-22T08:10:44.462Z", "dateUpdated": "2026-01-22T15:11:05.705Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unknown", "product": "WebSocket API service", "vendor": "Discord", "versions": [{"lessThanOrEqual": "2026-01-16", "status": "affected", "version": "0", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "Discord through 2026-01-16 allows gathering information about whether a user's client state is Invisible (and not actually offline) because the response to a WebSocket API request includes the user in the presences array (with \"status\": \"offline\"), whereas offline users are omitted from the presences array. This is arguably inconsistent with the UI description of Invisible as \"You will appear offline.\""}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-204", "description": "CWE-204 Observable Response Discrepancy", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-01-22T08:26:11.593Z"}, "references": [{"url": "https://xmrcat.org/discord-invisibility-bypass"}], "tags": ["exclusively-hosted-service"], "x_generator": {"engine": "CVE-Request-form 0.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-22T15:10:52.267809Z", "id": "CVE-2026-24332", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-22T15:11:05.705Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-24332", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-22T15:10:52.267809Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-22T15:11:00.708Z"}}], "cna": {"tags": ["exclusively-hosted-service"], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Discord", "product": "WebSocket API service", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "2026-01-16"}], "defaultStatus": "unknown"}], "references": [{"url": "https://xmrcat.org/discord-invisibility-bypass"}], "x_generator": {"engine": "CVE-Request-form 0.0.1"}, "descriptions": [{"lang": "en", "value": "Discord through 2026-01-16 allows gathering information about whether a user's client state is Invisible (and not actually offline) because the response to a WebSocket API request includes the user in the presences array (with \"status\": \"offline\"), whereas offline users are omitted from the presences array. This is arguably inconsistent with the UI description of Invisible as \"You will appear offline.\""}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-204", "description": "CWE-204 Observable Response Discrepancy"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-01-22T08:26:11.593Z"}}}, "cveMetadata": {"cveId": "CVE-2026-24332", "state": "PUBLISHED", "dateUpdated": "2026-01-22T15:11:05.705Z", "dateReserved": "2026-01-22T08:10:44.192Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-01-22T08:10:44.462Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"cveTags": [{"sourceIdentifier": "cve@mitre.org", "tags": ["exclusively-hosted-service"]}], "descriptions": [{"lang": "en", "value": "Discord through 2026-01-16 allows gathering information about whether a user's client state is Invisible (and not actually offline) because the response to a WebSocket API request includes the user in the presences array (with \"status\": \"offline\"), whereas offline users are omitted from the presences array. This is arguably inconsistent with the UI description of Invisible as \"You will appear offline.\""}, {"lang": "es", "value": "Discord hasta el 16 de enero de 2026 permite recopilar informaci\u00f3n sobre si el estado del cliente de un usuario es Invisible (y no realmente fuera de l\u00ednea) porque la respuesta a una solicitud de API de WebSocket incluye al usuario en el array de presencias (con 'status': 'offline'), mientras que los usuarios fuera de l\u00ednea son omitidos del array de presencias. Esto es discutiblemente inconsistente con la descripci\u00f3n de la interfaz de usuario de Invisible como 'Aparecer\u00e1s fuera de l\u00ednea'."}], "id": "CVE-2026-24332", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "cve@mitre.org", "type": "Secondary"}]}, "published": "2026-01-22T08:16:00.857", "references": [{"source": "cve@mitre.org", "url": "https://xmrcat.org/discord-invisibility-bypass"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-204"}], "source": "cve@mitre.org", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T15:26:28.135846+00:00", "value": {"mitigation_remediation": ["Upgrade Discord to the latest release that fixes the presence leakage (version 2026-01-17 or later).", "If no recent update is available, consider disabling or limiting the use of the WebSocket presence API until a fix is released.", "Monitor Discord\u2019s security advisories and release notes for the first patch addressing this privacy issue."], "summary": {"action": "Monitor", "impact": "Information Disclosure"}, "threat_synthesis": {"affected_systems": "Discord WebSocket API service versions up to 2026-01-16. The vulnerability is present in the client configuration that returns presence data containing the user with an \"offline\" status while marking actual offline users absent.", "description_and_impact": "Discord WebSocket API responses expose whether a user is set to Invisible by including the user in the presences array with a status of \"offline\"; offline users are omitted entirely. This discrepancy allows an attacker to determine a user\u2019s invisible state, compromising the intended privacy of the Invisible mode and providing unsolicited insight into user activity. The underlying weakness is a client state information leakage.", "risk_and_exploitability": "The CVSS score of 4.3 indicates medium severity, but the EPSS score shows a very low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is a crafted WebSocket request to the Discord API that retrieves presence data. Exploitation requires network access to the API and basic knowledge of WebSocket interactions but does not grant further privileges or direct code execution."}}}}, "created": "2026-01-23T16:32:45.621181+00:00", "title": "Discord Invisible Mode Information Disclosure via WebSocket Presence API", "updated": "2026-04-18T15:30:03.964190+00:00", "vendors": ["discord", "discord$PRODUCT$discord"]}