CVE-2026-47163 - Vulnerability Details

- Quest Bot: Unprivileged users can create and remove AutoMod rules.

Description

Quest Bot is an opensource modern Discord Bot built for moderation, utilities and support. Prior to version 1.0.1, any guild member who can invoke slash commands can use /automod add, /automod remove, and /automod list because the command has no Discord default permission requirement and no runtime moderator permission check. An attacker can add a rule matching common text and make the bot delete other users’ messages. This issue has been patched in version 1.0.1.

Published: 2026-06-11

Score: 7.2 High

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

Quest Bot, an open‑source Discord moderation bot, allowed any guild member who could use slash commands to add or remove AutoMod rules because the commands lacked required Discord permission checks and no runtime moderator privilege validation. This omission enabled unprivileged users to create rules that match common text patterns and trigger automatic deletion of other users’ messages. As a result, an attacker could arbitrarily delete content from a guild, leading to loss of user data and undermining the moderation integrity of the community.

Affected Systems

The vulnerability affected all installations of duck‑organization Quest Bot prior to version 1.0.1, all of which lacked hard‑coded permission enforcement for the /automod add, /automod remove, and /automod list commands. Any Discord guild where the bot was present and where members had permission to invoke slash commands was susceptible, irrespective of the guild’s configuration settings.

Risk and Exploitability

The CVSS score of indicates a high severity, and although EPSS data is not available, the lack of a KEV listing suggests no widespread exploitation has been reported yet; however, the attack vector is straightforward—any guild member can trigger the command via the normal Discord UI—making the vulnerability readily actionable in environments where the bot is active. This poses a moderate to high risk, especially for guilds that rely on the bot’s automated moderation to enforce community standards.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

duck-organization

quest-bot

affected

Version	Status	Constraints
`< 1.0.1`	affected	—

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Quest Bot to version 1.0.1 or later to apply the fixed permission checks.
If a patch is not yet available, restrict the /automod commands in Discord’s application command permissions so that only users with moderator roles can execute them.
Review and revoke any AutoMod rules that were created before the patch, and monitor bot logs for unexpected rule changes.

Generated by OpenCVE AI on June 11, 2026 at 22:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Exploitation poc

Automatable no

Technical Impact total

References

Link	Providers
https://github.com/duck-organization/questbot/releases/tag/questbot-v1.0.1
https://github.com/duck-organization/questbot/security/advisories/GHSA-rphh-4h68-qr3j

History

Thu, 11 Jun 2026 20:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Thu, 11 Jun 2026 19:00:00 +0000

Type	Values Removed	Values Added
Description		Quest Bot is an opensource modern Discord Bot built for moderation, utilities and support. Prior to version 1.0.1, any guild member who can invoke slash commands can use /automod add, /automod remove, and /automod list because the command has no Discord default permission requirement and no runtime moderator permission check. An attacker can add a rule matching common text and make the bot delete other users’ messages. This issue has been patched in version 1.0.1.
Title		Quest Bot: Unprivileged users can create and remove AutoMod rules.
Weaknesses		CWE-862
References		https://github.com/duck-organization/questbot/releases/tag/questbot-v1.0.1 https://github.com/duck-organization/questbot/security/advisories/GHSA-rphh-4h68-qr3j
Metrics		cvssV4_0 `{'score': 7.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-06-11T18:27:40.902Z

Updated: 2026-06-11T18:58:27.539Z

Reserved: 2026-05-18T21:25:34.496Z

Link: CVE-2026-47163

Vulnrichment

Updated: 2026-06-11T18:57:35.869Z

NVD

Status : Deferred

Published: 2026-06-11T19:16:44.390

Modified: 2026-06-11T20:58:18.123

Link: CVE-2026-47163

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-11T22:30:09Z

Weaknesses

CWE-862
Missing Authorization

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Exploitation poc

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object