FKIE_CVE-2026-24332

Vulnerability from fkie_nvd - Published: 2026-01-22 08:16 - Updated: 2026-04-15 00:35
Severity ?
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Summary
Discord through 2026-01-16 allows gathering information about whether a user's client state is Invisible (and not actually offline) because the response to a WebSocket API request includes the user in the presences array (with "status": "offline"), whereas offline users are omitted from the presences array. This is arguably inconsistent with the UI description of Invisible as "You will appear offline."
References
cve@mitre.orghttps://xmrcat.org/discord-invisibility-bypass
Impacted products
Vendor Product Version
To clipboard 

{
  "cveTags": [
    {
      "sourceIdentifier": "cve@mitre.org",
      "tags": [
        "exclusively-hosted-service"
      ]
    }
  ],
  "descriptions": [
    {
      "lang": "en",
      "value": "Discord through 2026-01-16 allows gathering information about whether a user\u0027s client state is Invisible (and not actually offline) because the response to a WebSocket API request includes the user in the presences array (with \"status\": \"offline\"), whereas offline users are omitted from the presences array. This is arguably inconsistent with the UI description of Invisible as \"You will appear offline.\""
    },
    {
      "lang": "es",
      "value": "Discord hasta el 16 de enero de 2026 permite recopilar informaci\u00f3n sobre si el estado del cliente de un usuario es Invisible (y no realmente fuera de l\u00ednea) porque la respuesta a una solicitud de API de WebSocket incluye al usuario en el array de presencias (con \u0027status\u0027: \u0027offline\u0027), mientras que los usuarios fuera de l\u00ednea son omitidos del array de presencias. Esto es discutiblemente inconsistente con la descripci\u00f3n de la interfaz de usuario de Invisible como \u0027Aparecer\u00e1s fuera de l\u00ednea\u0027."
    }
  ],
  "id": "CVE-2026-24332",
  "lastModified": "2026-04-15T00:35:42.020",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 4.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 1.4,
        "source": "cve@mitre.org",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-01-22T08:16:00.857",
  "references": [
    {
      "source": "cve@mitre.org",
      "url": "https://xmrcat.org/discord-invisibility-bypass"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-204"
        }
      ],
      "source": "cve@mitre.org",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.