CVE-2026-24332 identifies a privacy-related vulnerability in Discord's WebSocket API service that affects how user presence states are reported. Specifically, when a user sets their status to Invisible, the Discord client UI indicates that the user appears offline. However, the WebSocket API response includes Invisible users in the presences array with a status field set to "offline," whereas users who are truly offline are omitted from this array. This observable response discrepancy (classified under CWE-204: Observable Response Discrepancy) allows an attacker with access to the WebSocket API and authenticated privileges to infer whether a user is Invisible or offline by checking the presence data. The vulnerability does not require user interaction and can be exploited remotely over the network. The impact is limited to confidentiality, as it leaks presence state information that users may expect to remain hidden. There is no impact on data integrity or service availability. The vulnerability has a CVSS 3.1 base score of 4.3 (medium severity), reflecting its limited scope and impact. No known exploits are currently reported in the wild, and no official patch links are provided yet. The issue stems from inconsistent handling of presence data between the UI and API responses, which can be leveraged for user tracking or social engineering attacks.

For European organizations, the primary impact of this vulnerability is a privacy concern related to user presence information leakage. Organizations relying on Discord for internal or external communication may have users who prefer to appear Invisible to avoid unwanted attention or maintain operational security. This vulnerability undermines that expectation by allowing adversaries to detect Invisible users, potentially enabling targeted social engineering, surveillance, or harassment. While the vulnerability does not expose sensitive data or compromise system integrity, the ability to distinguish Invisible users can be exploited in reconnaissance phases of attacks or to identify high-value targets who attempt to conceal their online presence. This could be particularly relevant for sectors with sensitive communications such as government agencies, NGOs, or enterprises with confidential projects. The lack of impact on availability or data integrity limits the operational risk, but the privacy implications warrant attention in compliance with European data protection regulations such as GDPR.

To mitigate this vulnerability, European organizations should implement the following specific measures: 1) Monitor and audit Discord WebSocket API traffic internally to detect anomalous queries or presence data that could indicate exploitation attempts. 2) Educate users about the limitations of the Invisible status and encourage cautious sharing of sensitive information on Discord. 3) Limit access to Discord API tokens and credentials to minimize the risk of unauthorized authenticated API calls. 4) Engage with Discord support or security channels to advocate for an official patch or update that aligns the API presence data with the UI behavior, removing Invisible users from the presences array or marking them distinctly without leaking their presence. 5) Consider alternative communication platforms with stronger privacy guarantees for sensitive communications until the issue is resolved. 6) Implement network-level controls to restrict WebSocket API access to trusted endpoints where feasible. These steps go beyond generic advice by focusing on monitoring, user awareness, access control, vendor engagement, and platform selection tailored to this specific vulnerability.