Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
PR:H for required bot settings access; UI:R because ticket closure by another party is needed; S:C because transcript crosses channel confidentiality boundaries to unauthorized readers.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Quest Bot is an opensource modern Discord Bot built for moderation, utilities and support. Prior to version 1.0.4, a user who can configure bot settings can set the ticket transcript channel to a channel they can read. When tickets are closed, the bot exports the full ticket history and sends it to that configured transcript channel. This can expose private ticket messages to users who could not read the original ticket channel. This issue has been patched in version 1.0.4.
AnalysisAI
Ticket transcript redirection in Quest Bot (prior to v1.0.4) allows a privileged user with bot settings access to configure the closed-ticket transcript destination to any channel they can read, exposing full private ticket histories to unauthorized parties. The bot fails to enforce parity between the access controls of the original ticket channel and the transcript destination, breaking the confidentiality boundary of the ticketing system. No public exploit code exists and no KEV listing applies; the CVSS 4.0 score of 5.7 reflects the high privilege requirement and passive user interaction needed to trigger exposure.
Technical ContextAI
Quest Bot is an open-source Discord moderation and support bot (CPE: cpe:2.3:a:duck-organization:quest-bot:*:*:*:*:*:*:*:*) that implements a ticketing system wherein users can open private support channels. Upon ticket closure, the bot serializes the entire message history into a transcript and delivers it to a pre-configured transcript channel. The root cause is CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor): the bot does not validate that the configured transcript destination enforces the same access controls as the originating ticket channel. An administrator can therefore route transcripts to a broadly readable channel or one they personally monitor, circumventing the intended confidentiality of the private ticket.
RemediationAI
Vendor-released patch: Quest Bot version 1.0.4. Operators should upgrade immediately by deploying the patched release from https://github.com/duck-organization/questbot/releases/tag/questbot-v1.0.4. Prior to upgrading, as a compensating control, server administrators should audit the current transcript channel configuration and restrict it to a private channel accessible only to users who are already authorized to view ticket contents. Reducing the number of users with bot settings configuration permissions (PR:H in CVSS terms) also reduces the attack surface, as the vulnerability requires settings-level access to exploit. No significant side effects of upgrading are noted in available data. The full security advisory is at https://github.com/duck-organization/questbot/security/advisories/GHSA-4rpv-95pj-6ccg.
Mass mention abuse in Quest Bot (open-source Discord moderation/utility bot) before version 1.0.3 allows any normal Disc
Cross-tenant AutoMod rule deletion in Quest Bot (Discord bot) prior to 1.0.5 lets a user with Manage Server permission i
Privilege escalation in Quest Bot (open-source Discord moderation bot) prior to version 1.0.3 allows a user holding only
Privilege escalation in Quest Bot Discord bot versions prior to 1.0.1 allows any guild member with slash-command access
Unsanitized output in Quest Bot's ticket creation workflow allows any unprivileged Discord server member to inject @ever
Quest Bot, an open-source Discord moderation/utility bot, exposes private channel message contents to privileged users w
Quest Bot (Discord moderation bot) prior to v1.0.4 allows low-privileged moderators to leverage the bot's elevated Disco
Unsanitized reason text in Quest Bot's /unban and /unwarn Discord commands enables authenticated moderators to trigger m
Same weakness CWE-200 – Information Exposure
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36277