Skip to main content

Quest Bot CVE-2026-47176

| EUVDEUVD-2026-36276 MEDIUM
Information Exposure (CWE-200)
2026-06-11 GitHub_M
5.7
CVSS 4.0 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
5.7 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
6.2 MEDIUM

PR:H because bot config access is required; S:C because the bot crosses authorization boundaries to expose private channels; UI:R for passive message activity from other users.

3.1 AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:P/PR:H/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
P
Scope
X

Lifecycle Timeline

2
Patch available
Jun 11, 2026 - 20:01 EUVD
Analysis Generated
Jun 11, 2026 - 19:28 vuln.today

DescriptionCVE.org

Quest Bot is an opensource modern Discord Bot built for moderation, utilities and support. Prior to version 1.0.4, a user who can configure bot settings can enable logging and choose a logging channel they can read. The bot then logs deleted and edited message contents from every channel it can see, including private channels the configuring user cannot access. This issue has been patched in version 1.0.4.

AnalysisAI

Quest Bot, an open-source Discord moderation/utility bot, exposes private channel message contents to privileged users who should not have access to them. A user holding bot configuration privileges can enable the logging feature and direct logs to a channel they control, causing the bot to forward deleted and edited message content from all channels it can observe - including private channels the configuring user is explicitly excluded from reading. No public exploit has been identified at time of analysis, and a patch was released in version 1.0.4.

Technical ContextAI

Quest Bot (CPE: cpe:2.3:a:duck-organization:quest-bot:*:*:*:*:*:*:*:*) is an open-source Node.js Discord bot hosted under the duck-organization GitHub organization. Discord bots operate with OAuth2 scopes and channel permissions that may exceed those of individual human users - bots with 'View Channel' and 'Read Message History' permissions can observe messages across all guild channels, including private ones restricted to specific roles. The vulnerability is rooted in CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor): the logging feature does not enforce a permission boundary check between the channels the configuring user is authorized to read and the channels the bot itself can observe. This means the bot acts as a confused deputy, laundering access from its elevated service account context to a human user who should be restricted.

RemediationAI

The primary fix is to upgrade Quest Bot to version 1.0.4, which patches the information disclosure vulnerability. The official release is available at https://github.com/duck-organization/questbot/releases/tag/questbot-v1.0.4 and the advisory is at https://github.com/duck-organization/questbot/security/advisories/GHSA-fvvp-8g5q-hrc7. For deployments that cannot immediately upgrade, a compensating control is to disable the logging feature entirely until the patch is applied - this removes the exploitation pathway but also eliminates legitimate moderation logging capability. A second compensating control is to restrict bot configuration permissions exclusively to fully trusted server administrators who already have visibility into all channels, eliminating the privilege-escalation angle; however, this may not be operationally feasible in larger communities with delegated moderation. Removing the bot's 'View Channel' permission from sensitive private channels is an additional layer of defense, though it degrades bot functionality in those channels.

Share

CVE-2026-47176 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy