Primary

Context

Discord WebSocket API Presence Leak Allows Detection of Invisible Users

Vulnerability

A vulnerability in Discord's WebSocket API allows the identification of users who are set to 'Invisible' by revealing their presence status as 'offline'. This behavior is inconsistent with the user interface, which describes 'Invisible' users as appearing offline. The issue arises because the presences array in the API response includes 'Invisible' users with a status of 'offline', while truly offline users are completely omitted. This vulnerability exists in Discord versions prior to January 16, 2026.

Impact

Exploitation of this vulnerability allows for privacy invasion by misleadingly indicating a user is offline when they are actually active but invisible.

Reproduction

To reproduce this vulnerability, send a WebSocket API request to Discord while the target user is set to 'Invisible'. The response will include the user in the presences array with a status of 'offline', indicating they are active but not truly offline.

Added: Jan 22, 2026, 8:18 AM

Updated: Jan 22, 2026, 8:18 AM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

4.2

remediation

0.0

relevance

2.3

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

4.2

remediation

0.0

relevance

2.3

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Discord WebSocket API Presence Leak Allows Detection of Invisible Users

Vulnerability

Impact

Reproduction

Affected Products

Discord

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating