CVE-2026-24332
📋 TL;DR
This CVE reveals that Discord's WebSocket API leaks information about users who set their status to 'Invisible'. The API incorrectly includes invisible users in the presence array with 'offline' status, while truly offline users are omitted. This affects Discord users who rely on the Invisible feature for privacy.
💻 Affected Systems
- Discord
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could monitor specific users' actual online status despite their Invisible setting, enabling targeted harassment, social engineering, or privacy violations.
Likely Case
Privacy violation where users' invisible status can be detected by monitoring WebSocket traffic, undermining the expected privacy feature.
If Mitigated
Limited impact if users understand the limitation and adjust privacy expectations accordingly.
🎯 Exploit Status
Exploitation requires access to Discord WebSocket API and ability to monitor presence updates. The referenced article demonstrates the technique.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: None known
Restart Required: No
Instructions:
No official patch available. Monitor Discord updates and patch when available.
🔧 Temporary Workarounds
Avoid Invisible Status
allDo not rely on Discord's Invisible status feature for privacy. Use truly offline status or other privacy controls.
🧯 If You Can't Patch
- Educate users about the limitation of Invisible status
- Consider using alternative communication platforms for sensitive conversations
🔍 How to Verify
Check if Vulnerable:
Monitor Discord WebSocket traffic and check if invisible users appear in presence array with 'offline' status while truly offline users are omitted.Check Version:
Check Discord client version in Settings > Appearance > Advanced > VersionVerify Fix Applied:
After Discord updates, verify that invisible users are treated identically to offline users in WebSocket presence responses.📡 Detection & Monitoring
Log Indicators:
- Unusual WebSocket monitoring activity
- Multiple presence API requests targeting specific users
Network Indicators:
- Sustained WebSocket connections monitoring presence updates
- Patterns of presence requests for users known to use Invisible status
SIEM Query:
websocket AND (presence OR status) AND discord AND (monitoring OR scanning)