Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:H/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-invoked Discord command (AV:N); requires the guild to use channel overrides denying the invoker (AC:H); attacker must already be an authenticated guild member with base moderation role (PR:L); no UI; integrity high (message deletion), availability low (slowmode), no confidentiality.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:H/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Quest Bot is an opensource Discord Bot. Prior to version 1.1.6, the purge and slowmode commands check only guild-level permissions on the invoking member. They do not check the member’s effective permissions in the channel where the command is run. A user denied channel-level moderation permissions can still delete messages or change slowmode through the bot. This issue has been patched in version 1.1.6.
AnalysisAI
Authorization bypass in Quest Bot Discord bot prior to version 1.1.6 lets low-privilege guild members invoke the purge and slowmode commands in channels where their channel-level permissions explicitly deny moderation. The bot only validates guild-wide permissions on the invoking member and ignores Discord's per-channel permission overrides, so a user excluded from moderating a specific channel can still delete messages and alter slowmode there. No public exploit identified at time of analysis, and the issue is patched in v1.1.6.
Technical ContextAI
Quest Bot is an open-source Discord bot maintained by the duck-organization GitHub org (CPE cpe:2.3:a:duck-organization:questbot). Discord's permission model is layered: guild-level roles grant baseline permissions, but channel-level overrides can deny those permissions on a per-channel basis, and the 'effective' permission for a member in a channel is the resolved combination. The vulnerability is a classic CWE-863 (Incorrect Authorization): the purge and slowmode command handlers call a guild-permissions check on the invoker rather than computing channel-effective permissions (e.g., the equivalent of Discord.js's channel.permissionsFor(member)), so channel-scoped deny overrides are silently ignored by the bot's own authorization logic even though Discord itself would block the underlying action if the user attempted it directly.
RemediationAI
Vendor-released patch: questbot-v1.1.6 - upgrade the running bot instance to questbot-v1.1.6 or later (https://github.com/duck-organization/questbot/releases/tag/questbot-v1.1.6), which adds channel-effective permission checks to the purge and slowmode handlers as described in GHSA-2wf8-554w-hrj9. Operators who cannot upgrade immediately can mitigate by removing the bot's Manage Messages and Manage Channels permissions on channels where moderation must be restricted (the bot will then be unable to execute purge/slowmode there at the Discord API layer regardless of its own check), or by kicking the bot from the guild until upgraded; the trade-off is that legitimate moderators also lose bot-driven moderation in those channels. Restricting which roles can invoke the purge/slowmode commands at the guild level reduces but does not eliminate the issue, because the flaw is precisely that channel-level deny overrides on otherwise-permitted users are ignored.
Improper input validation in Quest Bot (an open-source Discord bot) prior to version 1.1.6 lets a guild moderator weapon
Discord role hierarchy bypass in Quest Bot (open-source Discord moderation bot) prior to version 1.1.6 allows moderators
Ticket panel resource exhaustion in Quest Bot (open-source Discord bot, all versions prior to 1.1.8) allows any Discord
Mention injection in Quest Bot prior to version 1.1.6 allows Discord server moderators to embed @everyone or @here mass-
Same weakness CWE-863 – Incorrect Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36413