Skip to main content

Quest Bot CVE-2026-47163

| EUVDEUVD-2026-36298 HIGH
Missing Authorization (CWE-862)
2026-06-11 GitHub_M
7.2
CVSS 4.0 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
7.2 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.1 HIGH

Any authenticated guild member (PR:L) can invoke the commands remotely with no user interaction, causing high integrity and availability impact through rule tampering and mass message deletion; no confidentiality loss.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

2
Patch available
Jun 11, 2026 - 20:01 EUVD
Analysis Generated
Jun 11, 2026 - 19:18 vuln.today

DescriptionCVE.org

Quest Bot is an opensource modern Discord Bot built for moderation, utilities and support. Prior to version 1.0.1, any guild member who can invoke slash commands can use /automod add, /automod remove, and /automod list because the command has no Discord default permission requirement and no runtime moderator permission check. An attacker can add a rule matching common text and make the bot delete other users’ messages. This issue has been patched in version 1.0.1.

AnalysisAI

Privilege escalation in Quest Bot Discord bot versions prior to 1.0.1 allows any guild member with slash-command access to invoke moderator-only /automod add, /automod remove, and /automod list commands due to missing Discord default permission requirements and absent runtime permission checks. Exploitation enables a low-privileged member to register automod rules matching common text patterns, causing the bot to delete other users' legitimate messages. No public exploit identified at time of analysis, but the trivial nature of the abuse and public advisory increase likelihood of weaponization in active Discord servers.

Technical ContextAI

Quest Bot is an open-source Discord moderation bot (CPE: cpe:2.3:a:duck-organization:quest-bot) that exposes slash commands through Discord's interaction framework. Discord slash commands support a default_member_permissions attribute that restricts who can see and execute them, and additionally bots should perform runtime authorization checks within the command handler. CWE-862 (Missing Authorization) applies here because the /automod family of commands was registered without default_member_permissions metadata AND the handler did not validate the invoker's guild permissions (e.g., ManageMessages or ModerateMembers) before mutating the automod ruleset, leaving moderation functionality fully accessible to any member who can invoke commands in the guild.

RemediationAI

Vendor-released patch: Quest Bot v1.0.1 - upgrade the running bot instance to questbot-v1.0.1 (https://github.com/duck-organization/questbot/releases/tag/questbot-v1.0.1) and re-register the bot's application commands with Discord so the updated default_member_permissions metadata is applied (Discord caches command definitions until re-synced). If immediate upgrade is not possible, server administrators can apply compensating controls via Discord's native Integrations settings by restricting the /automod commands to specific moderator roles or channels (Server Settings → Integrations → Quest Bot → Command Permissions); the trade-off is that this must be reapplied per guild and does not protect against the runtime check gap if the bot adds new commands. As a last resort, kick the bot from the guild until patched, which removes all moderation features it provided. Consult the advisory at https://github.com/duck-organization/questbot/security/advisories/GHSA-rphh-4h68-qr3j for full details.

Share

CVE-2026-47163 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy