Skip to main content

Quest Bot CVE-2026-49347

| EUVDEUVD-2026-36416 MEDIUM
Allocation of Resources Without Limits or Throttling (CWE-770)
2026-06-12 GitHub_M
5.3
CVSS 4.0 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
5.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
4.3 MEDIUM

Network-accessible modal endpoint requires only Discord panel membership (PR:L); availability impact is Low and scope unchanged as exhaustion is confined to the bot's own channels and database.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

2
Patch available
Jun 12, 2026 - 14:01 EUVD
Analysis Generated
Jun 12, 2026 - 12:51 vuln.today

DescriptionCVE.org

Quest Bot is an opensource Discord Bot. Prior to version 1.1.8, any user who can access the ticket panel can repeatedly create new ticket channels. The latest release still creates a new database ticket and Discord channel for every completed ticket modal submission, without checking whether the same user already has an open ticket and without applying a cooldown. This issue has been patched in version 1.1.8.

AnalysisAI

Ticket panel resource exhaustion in Quest Bot (open-source Discord bot, all versions prior to 1.1.8) allows any Discord user with panel access to flood a server with unlimited ticket channels and database records. Each modal submission unconditionally spawns a new Discord channel and database entry with no duplicate-ticket check and no rate limiting, enabling trivial availability denial of the ticketing system. No active exploitation (KEV) or public exploit code has been identified; vendor-released patch version 1.1.8 is confirmed available.

Technical ContextAI

Quest Bot (CPE: cpe:2.3:a:duck-organization:questbot:*:*:*:*:*:*:*:*) is an open-source Discord bot implementing a support-ticket workflow where Discord users submit modal forms that trigger channel creation and database record insertion. The root cause is CWE-770 (Allocation of Resources Without Limits or Throttling): the modal submission handler performs no idempotency check (does the user already have an open ticket?) and imposes no cooldown or submission-rate constraint. Every modal completion unconditionally executes both a Discord channel-creation API call and a database INSERT, meaning a single user can exhaust Discord's per-server channel cap and bloat the backing database without restriction. The affected component is the ticket modal submission path in all pre-1.1.8 releases.

RemediationAI

Upgrade Quest Bot to version 1.1.8, which introduces open-ticket deduplication checks and submission rate limiting on the ticket modal handler. The patched release is available at https://github.com/duck-organization/questbot/releases/tag/questbot-v1.1.8. As a compensating control prior to patching, Discord server administrators should restrict ticket panel access to specific trusted roles via Discord permission settings, reducing the pool of users who can trigger modal submissions. Note that restricting panel access limits legitimate user self-service ticketing, which may be unacceptable for community support servers. No compensating control addresses the root cause - only the v1.1.8 patch resolves the missing idempotency and rate-limit logic.

Share

CVE-2026-49347 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy