Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
PR:H because bot config access is required; S:C because the bot crosses authorization boundaries to expose private channels; UI:R for passive message activity from other users.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Quest Bot is an opensource modern Discord Bot built for moderation, utilities and support. Prior to version 1.0.4, a user who can configure bot settings can enable logging and choose a logging channel they can read. The bot then logs deleted and edited message contents from every channel it can see, including private channels the configuring user cannot access. This issue has been patched in version 1.0.4.
AnalysisAI
Quest Bot, an open-source Discord moderation/utility bot, exposes private channel message contents to privileged users who should not have access to them. A user holding bot configuration privileges can enable the logging feature and direct logs to a channel they control, causing the bot to forward deleted and edited message content from all channels it can observe - including private channels the configuring user is explicitly excluded from reading. No public exploit has been identified at time of analysis, and a patch was released in version 1.0.4.
Technical ContextAI
Quest Bot (CPE: cpe:2.3:a:duck-organization:quest-bot:*:*:*:*:*:*:*:*) is an open-source Node.js Discord bot hosted under the duck-organization GitHub organization. Discord bots operate with OAuth2 scopes and channel permissions that may exceed those of individual human users - bots with 'View Channel' and 'Read Message History' permissions can observe messages across all guild channels, including private ones restricted to specific roles. The vulnerability is rooted in CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor): the logging feature does not enforce a permission boundary check between the channels the configuring user is authorized to read and the channels the bot itself can observe. This means the bot acts as a confused deputy, laundering access from its elevated service account context to a human user who should be restricted.
RemediationAI
The primary fix is to upgrade Quest Bot to version 1.0.4, which patches the information disclosure vulnerability. The official release is available at https://github.com/duck-organization/questbot/releases/tag/questbot-v1.0.4 and the advisory is at https://github.com/duck-organization/questbot/security/advisories/GHSA-fvvp-8g5q-hrc7. For deployments that cannot immediately upgrade, a compensating control is to disable the logging feature entirely until the patch is applied - this removes the exploitation pathway but also eliminates legitimate moderation logging capability. A second compensating control is to restrict bot configuration permissions exclusively to fully trusted server administrators who already have visibility into all channels, eliminating the privilege-escalation angle; however, this may not be operationally feasible in larger communities with delegated moderation. Removing the bot's 'View Channel' permission from sensitive private channels is an additional layer of defense, though it degrades bot functionality in those channels.
Mass mention abuse in Quest Bot (open-source Discord moderation/utility bot) before version 1.0.3 allows any normal Disc
Cross-tenant AutoMod rule deletion in Quest Bot (Discord bot) prior to 1.0.5 lets a user with Manage Server permission i
Privilege escalation in Quest Bot (open-source Discord moderation bot) prior to version 1.0.3 allows a user holding only
Privilege escalation in Quest Bot Discord bot versions prior to 1.0.1 allows any guild member with slash-command access
Unsanitized output in Quest Bot's ticket creation workflow allows any unprivileged Discord server member to inject @ever
Ticket transcript redirection in Quest Bot (prior to v1.0.4) allows a privileged user with bot settings access to config
Quest Bot (Discord moderation bot) prior to v1.0.4 allows low-privileged moderators to leverage the bot's elevated Disco
Unsanitized reason text in Quest Bot's /unban and /unwarn Discord commands enables authenticated moderators to trigger m
Same weakness CWE-200 – Information Exposure
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36276