Skip to main content

Quest Bot CVE-2026-47189

| EUVDEUVD-2026-36279 HIGH
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-06-11 GitHub_M
8.3
CVSS 4.0 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
8.3 HIGH
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
9.6 CRITICAL

Network-reachable Discord command, low complexity, requires Manage Server in attacker's guild (PR:L); scope changes to victim guild; integrity/availability of AutoMod rules high, no confidentiality impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H
4.0 AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Patch available
Jun 11, 2026 - 20:01 EUVD
Analysis Generated
Jun 11, 2026 - 19:19 vuln.today

DescriptionCVE.org

Quest Bot is an opensource modern Discord Bot built for moderation, utilities and support. Prior to version 1.0.5, the AutoMod remove flow looks up and deletes rules by global database ID without verifying that the rule belongs to the guild where the command is executed. A user can learn a victim guild’s AutoMod rule ID through autocomplete, then remove that rule from another guild where they have Manage Server. This issue has been patched in version 1.0.5.

AnalysisAI

Cross-tenant AutoMod rule deletion in Quest Bot (Discord bot) prior to 1.0.5 lets a user with Manage Server permission in any guild delete AutoMod rules belonging to other guilds. The flaw stems from looking up rules by global database ID without verifying guild ownership, and rule IDs are discoverable via the bot's autocomplete feature. No public exploit identified at time of analysis, but the GitHub Security Advisory and patched release v1.0.5 are public.

Technical ContextAI

Quest Bot is an open-source Discord moderation bot (CPE: cpe:2.3:a:duck-organization:quest-bot) whose AutoMod subsystem stores rules in a shared database keyed by a global ID. The remove command resolves a rule by that global ID and proceeds to delete it without enforcing a tenancy check that the rule's guild_id matches the executing guild's context. This is a textbook CWE-639 (Authorization Bypass Through User-Controlled Key / IDOR) issue, made worse because the autocomplete handler exposes rule IDs from other guilds, supplying the very key needed to bypass the missing check.

RemediationAI

Vendor-released patch: Quest Bot 1.0.5 - upgrade any self-hosted instance to that release via https://github.com/duck-organization/questbot/releases/tag/questbot-v1.0.5 and review GHSA-6rv9-6p24-w955 for details. Until the upgrade is applied, operators can disable or unregister the AutoMod remove slash command in their bot deployment to eliminate the deletion path (side effect: legitimate admins lose in-bot rule removal and must clean up via direct database edits or the Discord-native AutoMod UI), and/or disable the AutoMod rule autocomplete handler to prevent ID enumeration (side effect: admins must type or look up rule IDs manually). Operators who cannot disable these commands should restrict bot invitation to trusted guilds, since the cross-tenant impact requires the attacker to share a bot instance with the victim guild.

Share

CVE-2026-47189 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy