CVE-2026-24332

CVSS v3.1

4.3

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Name of the Vulnerable Software and Affected Versions Discord versions through 2026-01-16

Description The software allows gathering information about whether a user’s client state is Invisible (and not actually offline). The response to a WebSocket API request includes the user in the presences array with a status of "offline," while truly offline users are omitted from this array. This behavior is inconsistent with the user interface description of Invisible, which states that users will appear offline. The issue involves the handling of user presence information via the WebSocket API. Specifically, the

/presences

API endpoint reveals the status of users who have set their status to Invisible. The

status

variable within the API response indicates whether a user is online, offline, idle, or do not disturb.

Recommendations Versions through 2026-01-16 should be updated when a fix becomes available.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-204

Related Identifiers

CVE-2026-24332

Affected Products

Discord

CVE-2026-24332

Weakness Enumeration

Related Identifiers

Affected Products

References · 5