Description
Discord through 2026-01-16 allows gathering information about whether a user's client state is Invisible (and not actually offline) because the response to a WebSocket API request includes the user in the presences array (with "status": "offline"), whereas offline users are omitted from the presences array. This is arguably inconsistent with the UI description of Invisible as "You will appear offline."
Published: 2026-01-22
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Monitor
AI Analysis

Impact

Discord WebSocket API responses expose whether a user is set to Invisible by including the user in the presences array with a status of "offline"; offline users are omitted entirely. This discrepancy allows an attacker to determine a user’s invisible state, compromising the intended privacy of the Invisible mode and providing unsolicited insight into user activity. The underlying weakness is a client state information leakage.

Affected Systems

Discord WebSocket API service versions up to 2026-01-16. The vulnerability is present in the client configuration that returns presence data containing the user with an "offline" status while marking actual offline users absent.

Risk and Exploitability

The CVSS score of 4.3 indicates medium severity, but the EPSS score shows a very low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is a crafted WebSocket request to the Discord API that retrieves presence data. Exploitation requires network access to the API and basic knowledge of WebSocket interactions but does not grant further privileges or direct code execution.

Generated by OpenCVE AI on April 18, 2026 at 15:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Discord to the latest release that fixes the presence leakage (version 2026-01-17 or later).
  • If no recent update is available, consider disabling or limiting the use of the WebSocket presence API until a fix is released.
  • Monitor Discord’s security advisories and release notes for the first patch addressing this privacy issue.

Generated by OpenCVE AI on April 18, 2026 at 15:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 18 Apr 2026 15:45:00 +0000

Type Values Removed Values Added
Title Discord Invisible Mode Information Disclosure via WebSocket Presence API

Fri, 23 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Discord
Discord discord
Vendors & Products Discord
Discord discord

Thu, 22 Jan 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 22 Jan 2026 08:15:00 +0000

Type Values Removed Values Added
Description Discord through 2026-01-16 allows gathering information about whether a user's client state is Invisible (and not actually offline) because the response to a WebSocket API request includes the user in the presences array (with "status": "offline"), whereas offline users are omitted from the presences array. This is arguably inconsistent with the UI description of Invisible as "You will appear offline."
Weaknesses CWE-204
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Discord Discord
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-01-22T15:11:05.705Z

Reserved: 2026-01-22T08:10:44.192Z

Link: CVE-2026-24332

cve-icon Vulnrichment

Updated: 2026-01-22T15:11:00.708Z

cve-icon NVD

Status : Deferred

Published: 2026-01-22T08:16:00.857

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-24332

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T15:30:03Z

Weaknesses