Description
Quest Bot is an opensource modern Discord Bot built for moderation, utilities and support. Prior to version 1.0.4, a user who can configure bot settings can enable logging and choose a logging channel they can read. The bot then logs deleted and edited message contents from every channel it can see, including private channels the configuring user cannot access. This issue has been patched in version 1.0.4.
Published: 2026-06-11
Score: 5.7 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the logging component of Quest Bot, an open‑source Discord bot. Users who are granted permission to configure the bot can enable logging and choose a channel in which log messages will be posted. When logging is activated, the bot records the contents of deleted and edited messages from every channel it has access to, even channels that the configuring user cannot read. Consequently, a privileged user can use the bot to retrieve private channel conversations through an innocuous log channel, resulting in a disclosure of confidential information.

Affected Systems

The affected product is Quest Bot from duck‑organization. Versions prior to 1.0.4 contain the flaw. Any deployment of Quest Bot 1.0.3 or earlier that allows a user to configure logging is vulnerable. The fix is available in version 1.0.4 and later.

Risk and Exploitability

The CVSS score of 5.7 indicates moderate severity. EPSS data is not available, so the current exploitation likelihood is unknown. The vulnerability is not listed in KEV. The likely attack vector is remote; an attacker must possess a privileged Discord role that allows configuration of the bot’s logging settings. If successful, the attacker can read private channel messages via a log channel that is otherwise readable by the user who set it up. Because the flaw is purely in data handling, it does not grant arbitrary code execution or denial of service.

Generated by OpenCVE AI on June 11, 2026 at 22:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Quest Bot to version 1.0.4 or later to eliminate the logging issue.
  • After upgrading, configure logging only for channels that contain no confidential content and that are not readable by users who cannot view private channels.
  • Audit existing logs for evidence of private message leakage and delete any offending entries that were captured before the patch.

Generated by OpenCVE AI on June 11, 2026 at 22:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 11 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 11 Jun 2026 19:00:00 +0000

Type Values Removed Values Added
Description Quest Bot is an opensource modern Discord Bot built for moderation, utilities and support. Prior to version 1.0.4, a user who can configure bot settings can enable logging and choose a logging channel they can read. The bot then logs deleted and edited message contents from every channel it can see, including private channels the configuring user cannot access. This issue has been patched in version 1.0.4.
Title Quest Bot: Logging module can disclose private-channel message contents to a lower-visibility log channel
Weaknesses CWE-200
References
Metrics cvssV4_0

{'score': 5.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-11T19:01:18.109Z

Reserved: 2026-05-18T21:25:34.497Z

Link: CVE-2026-47176

cve-icon Vulnrichment

Updated: 2026-06-11T19:01:04.679Z

cve-icon NVD

Status : Deferred

Published: 2026-06-11T19:16:45.880

Modified: 2026-06-11T20:58:18.123

Link: CVE-2026-47176

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-11T22:30:09Z

Weaknesses
  • CWE-200

    Exposure of Sensitive Information to an Unauthorized Actor