Contact to DisCatSharp-owned server using authenticated client
Description
DisCatSharp is a Discord API wrapper for .NET. Users of versions 9.8.5, 9.8.6, 9.9.0 and previously published prereleases of 10.0.0 who have used either one of the two RequireDisCatSharpDeveloperAttributes or the BaseDiscordClient.LibraryDeveloperTeam have potentially had their bot token sent to a web server not affiliated with Discord. This server is owned and operated by DisCatSharp's development team. The tokens were not logged, yet it is still advisable to reset the tokens of potentially affected bots. 9.9.1 has been released to patch the issue for the current stable release and the current 10.0.0 prereleases are also no longer affected. Users unable to upgrade should remove all uses of the two RequireDisCatSharpDeveloperAttributes and all direct calls to BaseDiscordClient.LibraryDeveloperTeam.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
DisCatSharp versions 9.8.5-9.9.0 and affected 10.0.0 prereleases inadvertently send bot tokens to an external server controlled by the library's development team.
Vulnerability
DisCatSharp, a Discord API wrapper for .NET, contains a vulnerability in versions 9.8.5, 9.8.6, 9.9.0, and previously published prereleases of 10.0.0. The HttpClient responsible for sending requests to the Discord API was erroneously reused to send requests to the DisCatSharp development team's web server when either of the two RequireDisCatSharpDeveloperAttributes or the BaseDiscordClient.LibraryDeveloperTeam property was used [3]. This causes the bot token to be transmitted to an external web server not affiliated with Discord [1].
Exploitation
An attacker does not need to actively exploit this bug; the token is silently transmitted during normal library usage by any bot that employs the affected attributes or property. The token is sent to a server owned and operated by the DisCatSharp development team, and there is no indication that the tokens were logged [3]. However, the exposure occurs automatically without user interaction beyond using the affected code paths.
Impact
Successful transmission of the bot token to an external server constitutes an information disclosure that could allow the server operator (or any attacker who compromises that server) to impersonate the affected bot, access Discord guilds where the bot is a member, and perform actions with the bot's privileges. Users of affected versions are advised to reset their bot tokens as a precaution [1][3].
Mitigation
The fix is released in version 9.9.1 for the stable release tree, and the current 10.0.0 prereleases are no longer affected [1][3]. Users unable to upgrade should immediately remove all uses of the two RequireDisCatSharpDeveloperAttributes and all direct calls to BaseDiscordClient.LibraryDeveloperTeam [3]. There is no indication this CVE is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
DisCatSharpNuGet | >= 9.8.5, < 9.9.1 | 9.9.1 |
Affected products
3- Range: 9.8.5, 9.8.6, 9.9.0, <10.0.0 prereleases
- Aiko-IT-Systems/DisCatSharpv5Range: >= 9.8.5, < 9.9.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-frxg-hf44-q765ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-24849ghsaADVISORY
- github.com/Aiko-IT-Systems/DisCatSharp/security/advisories/GHSA-frxg-hf44-q765ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.