Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Any authenticated guild member (PR:L) can invoke the commands remotely with no user interaction, causing high integrity and availability impact through rule tampering and mass message deletion; no confidentiality loss.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Quest Bot is an opensource modern Discord Bot built for moderation, utilities and support. Prior to version 1.0.1, any guild member who can invoke slash commands can use /automod add, /automod remove, and /automod list because the command has no Discord default permission requirement and no runtime moderator permission check. An attacker can add a rule matching common text and make the bot delete other users’ messages. This issue has been patched in version 1.0.1.
AnalysisAI
Privilege escalation in Quest Bot Discord bot versions prior to 1.0.1 allows any guild member with slash-command access to invoke moderator-only /automod add, /automod remove, and /automod list commands due to missing Discord default permission requirements and absent runtime permission checks. Exploitation enables a low-privileged member to register automod rules matching common text patterns, causing the bot to delete other users' legitimate messages. No public exploit identified at time of analysis, but the trivial nature of the abuse and public advisory increase likelihood of weaponization in active Discord servers.
Technical ContextAI
Quest Bot is an open-source Discord moderation bot (CPE: cpe:2.3:a:duck-organization:quest-bot) that exposes slash commands through Discord's interaction framework. Discord slash commands support a default_member_permissions attribute that restricts who can see and execute them, and additionally bots should perform runtime authorization checks within the command handler. CWE-862 (Missing Authorization) applies here because the /automod family of commands was registered without default_member_permissions metadata AND the handler did not validate the invoker's guild permissions (e.g., ManageMessages or ModerateMembers) before mutating the automod ruleset, leaving moderation functionality fully accessible to any member who can invoke commands in the guild.
RemediationAI
Vendor-released patch: Quest Bot v1.0.1 - upgrade the running bot instance to questbot-v1.0.1 (https://github.com/duck-organization/questbot/releases/tag/questbot-v1.0.1) and re-register the bot's application commands with Discord so the updated default_member_permissions metadata is applied (Discord caches command definitions until re-synced). If immediate upgrade is not possible, server administrators can apply compensating controls via Discord's native Integrations settings by restricting the /automod commands to specific moderator roles or channels (Server Settings → Integrations → Quest Bot → Command Permissions); the trade-off is that this must be reapplied per guild and does not protect against the runtime check gap if the bot adds new commands. As a last resort, kick the bot from the guild until patched, which removes all moderation features it provided. Consult the advisory at https://github.com/duck-organization/questbot/security/advisories/GHSA-rphh-4h68-qr3j for full details.
Mass mention abuse in Quest Bot (open-source Discord moderation/utility bot) before version 1.0.3 allows any normal Disc
Cross-tenant AutoMod rule deletion in Quest Bot (Discord bot) prior to 1.0.5 lets a user with Manage Server permission i
Privilege escalation in Quest Bot (open-source Discord moderation bot) prior to version 1.0.3 allows a user holding only
Unsanitized output in Quest Bot's ticket creation workflow allows any unprivileged Discord server member to inject @ever
Ticket transcript redirection in Quest Bot (prior to v1.0.4) allows a privileged user with bot settings access to config
Quest Bot, an open-source Discord moderation/utility bot, exposes private channel message contents to privileged users w
Quest Bot (Discord moderation bot) prior to v1.0.4 allows low-privileged moderators to leverage the bot's elevated Disco
Unsanitized reason text in Quest Bot's /unban and /unwarn Discord commands enables authenticated moderators to trigger m
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36298