Skip to main content

Quest Bot EUVDEUVD-2026-36413

| CVE-2026-47195 HIGH
Incorrect Authorization (CWE-863)
2026-06-12 GitHub_M
7.1
CVSS 4.0 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
7.1 HIGH
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:H/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
5.9 MEDIUM

Network-invoked Discord command (AV:N); requires the guild to use channel overrides denying the invoker (AC:H); attacker must already be an authenticated guild member with base moderation role (PR:L); no UI; integrity high (message deletion), availability low (slowmode), no confidentiality.

3.1 AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:L
4.0 AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:H/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

2
Patch available
Jun 12, 2026 - 14:01 EUVD
Analysis Generated
Jun 12, 2026 - 12:53 vuln.today

DescriptionCVE.org

Quest Bot is an opensource Discord Bot. Prior to version 1.1.6, the purge and slowmode commands check only guild-level permissions on the invoking member. They do not check the member’s effective permissions in the channel where the command is run. A user denied channel-level moderation permissions can still delete messages or change slowmode through the bot. This issue has been patched in version 1.1.6.

AnalysisAI

Authorization bypass in Quest Bot Discord bot prior to version 1.1.6 lets low-privilege guild members invoke the purge and slowmode commands in channels where their channel-level permissions explicitly deny moderation. The bot only validates guild-wide permissions on the invoking member and ignores Discord's per-channel permission overrides, so a user excluded from moderating a specific channel can still delete messages and alter slowmode there. No public exploit identified at time of analysis, and the issue is patched in v1.1.6.

Technical ContextAI

Quest Bot is an open-source Discord bot maintained by the duck-organization GitHub org (CPE cpe:2.3:a:duck-organization:questbot). Discord's permission model is layered: guild-level roles grant baseline permissions, but channel-level overrides can deny those permissions on a per-channel basis, and the 'effective' permission for a member in a channel is the resolved combination. The vulnerability is a classic CWE-863 (Incorrect Authorization): the purge and slowmode command handlers call a guild-permissions check on the invoker rather than computing channel-effective permissions (e.g., the equivalent of Discord.js's channel.permissionsFor(member)), so channel-scoped deny overrides are silently ignored by the bot's own authorization logic even though Discord itself would block the underlying action if the user attempted it directly.

RemediationAI

Vendor-released patch: questbot-v1.1.6 - upgrade the running bot instance to questbot-v1.1.6 or later (https://github.com/duck-organization/questbot/releases/tag/questbot-v1.1.6), which adds channel-effective permission checks to the purge and slowmode handlers as described in GHSA-2wf8-554w-hrj9. Operators who cannot upgrade immediately can mitigate by removing the bot's Manage Messages and Manage Channels permissions on channels where moderation must be restricted (the bot will then be unable to execute purge/slowmode there at the Discord API layer regardless of its own check), or by kicking the bot from the guild until upgraded; the trade-off is that legitimate moderators also lose bot-driven moderation in those channels. Restricting which roles can invoke the purge/slowmode commands at the guild level reduces but does not eliminate the issue, because the flaw is precisely that channel-level deny overrides on otherwise-permitted users are ignored.

Share

EUVD-2026-36413 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy