Skip to main content

Quest Bot EUVDEUVD-2026-36277

| CVE-2026-47177 MEDIUM
Information Exposure (CWE-200)
2026-06-11 GitHub_M
5.7
CVSS 4.0 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
5.7 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
6.2 MEDIUM

PR:H for required bot settings access; UI:R because ticket closure by another party is needed; S:C because transcript crosses channel confidentiality boundaries to unauthorized readers.

3.1 AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:P/PR:H/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
P
Scope
X

Lifecycle Timeline

2
Patch available
Jun 11, 2026 - 20:01 EUVD
Analysis Generated
Jun 11, 2026 - 19:29 vuln.today

DescriptionCVE.org

Quest Bot is an opensource modern Discord Bot built for moderation, utilities and support. Prior to version 1.0.4, a user who can configure bot settings can set the ticket transcript channel to a channel they can read. When tickets are closed, the bot exports the full ticket history and sends it to that configured transcript channel. This can expose private ticket messages to users who could not read the original ticket channel. This issue has been patched in version 1.0.4.

AnalysisAI

Ticket transcript redirection in Quest Bot (prior to v1.0.4) allows a privileged user with bot settings access to configure the closed-ticket transcript destination to any channel they can read, exposing full private ticket histories to unauthorized parties. The bot fails to enforce parity between the access controls of the original ticket channel and the transcript destination, breaking the confidentiality boundary of the ticketing system. No public exploit code exists and no KEV listing applies; the CVSS 4.0 score of 5.7 reflects the high privilege requirement and passive user interaction needed to trigger exposure.

Technical ContextAI

Quest Bot is an open-source Discord moderation and support bot (CPE: cpe:2.3:a:duck-organization:quest-bot:*:*:*:*:*:*:*:*) that implements a ticketing system wherein users can open private support channels. Upon ticket closure, the bot serializes the entire message history into a transcript and delivers it to a pre-configured transcript channel. The root cause is CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor): the bot does not validate that the configured transcript destination enforces the same access controls as the originating ticket channel. An administrator can therefore route transcripts to a broadly readable channel or one they personally monitor, circumventing the intended confidentiality of the private ticket.

RemediationAI

Vendor-released patch: Quest Bot version 1.0.4. Operators should upgrade immediately by deploying the patched release from https://github.com/duck-organization/questbot/releases/tag/questbot-v1.0.4. Prior to upgrading, as a compensating control, server administrators should audit the current transcript channel configuration and restrict it to a private channel accessible only to users who are already authorized to view ticket contents. Reducing the number of users with bot settings configuration permissions (PR:H in CVSS terms) also reduces the attack surface, as the vulnerability requires settings-level access to exploit. No significant side effects of upgrading are noted in available data. The full security advisory is at https://github.com/duck-organization/questbot/security/advisories/GHSA-4rpv-95pj-6ccg.

Share

EUVD-2026-36277 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy