CVE-2026-24332 Overview
CVE-2026-24332 is an information disclosure vulnerability in Discord that allows users to determine whether another user is using the "Invisible" status rather than being genuinely offline. The vulnerability exists because Discord's WebSocket API response includes users with Invisible status in the presences array with "status": "offline", while truly offline users are completely omitted from this array. This behavior contradicts Discord's user interface description of Invisible mode as "You will appear offline."
Critical Impact
Users relying on Discord's Invisible status for privacy can be identified as being online by other users who exploit this information disclosure through the WebSocket API.
Affected Products
- Discord client versions through 2026-01-16
- Discord WebSocket API
Discovery Timeline
- 2026-01-22 - CVE CVE-2026-24332 published to NVD
- 2026-01-22 - Last updated in NVD database
Technical Details for CVE-2026-24332
Vulnerability Analysis
This vulnerability falls under CWE-204 (Observable Response Discrepancy), where the application provides different responses that reveal information about user state that should remain hidden. Discord's Invisible status feature is designed to allow users to appear offline to other users while still being able to use the platform. However, a flaw in the WebSocket API implementation creates an observable difference between users who are genuinely offline versus those who have set their status to Invisible.
When querying user presence information through Discord's WebSocket API, the response behavior differs based on the user's actual state. Users with Invisible status are included in the presences array with their status explicitly set to "offline," while users who are genuinely offline are simply not included in the array at all. This discrepancy allows an attacker with low privileges (authenticated Discord user) to enumerate and identify users who are attempting to hide their online presence.
Root Cause
The root cause of this vulnerability is an implementation flaw in Discord's presence management system. The WebSocket API fails to properly mask the presence of Invisible users, treating them as "offline" entries in the response rather than omitting them entirely as it does for genuinely offline users. This creates two distinct response patterns that can be differentiated by observant users or automated tools.
Attack Vector
The attack requires network access and authenticated privileges on the Discord platform. An attacker can exploit this vulnerability by making WebSocket API requests and analyzing the presences array in the response. By comparing whether a target user appears in the presences array with "status": "offline" versus being absent from the array entirely, the attacker can determine if the user is using Invisible mode.
The attack flow involves:
- Establishing a WebSocket connection to Discord's API as an authenticated user
- Requesting presence information for target users (typically in shared servers)
- Analyzing the response to identify users appearing as "offline" in the presences array
- Cross-referencing with users absent from the array to distinguish Invisible from truly offline users
For detailed technical analysis, refer to the XMRCat Discord Invisibility Analysis.
Detection Methods for CVE-2026-24332
Indicators of Compromise
- Unusual volume of WebSocket API requests querying user presence information
- Automated scripts or tools making repeated presence status queries
- Abnormal patterns of presence array analysis from specific user accounts
Detection Strategies
- Monitor WebSocket connection patterns for high-frequency presence queries
- Implement rate limiting on presence-related API endpoints
- Log and analyze API access patterns for enumeration behavior
- Alert on suspicious batch queries targeting multiple users' presence status
Monitoring Recommendations
- Enable logging for WebSocket API presence queries
- Set up anomaly detection for unusual API usage patterns
- Monitor for third-party tools or scripts that may be exploiting this vulnerability
- Track user reports of privacy concerns related to Invisible status
How to Mitigate CVE-2026-24332
Immediate Actions Required
- Users concerned about privacy should be aware that Invisible status may not fully hide their online presence
- Consider fully logging out of Discord when genuine offline appearance is required
- Organizations should inform users about this limitation of the Invisible status feature
Patch Information
As of 2026-01-22, no vendor patch information has been published. Users should monitor Discord's official security communications and update to the latest client version when a fix becomes available. The vulnerability affects Discord versions through 2026-01-16.
Workarounds
- Fully disconnect or log out from Discord instead of relying on Invisible status for privacy
- Use Discord in a web browser and close the browser/tab when offline appearance is desired
- Disable automatic startup of Discord client to prevent unintended presence disclosure
- Be aware that Invisible status provides limited privacy guarantees until Discord addresses this API behavior
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
