Description
Quest Bot is an opensource modern Discord Bot built for moderation, utilities and support. Prior to version 1.0.4, a user who can configure bot settings can set the ticket transcript channel to a channel they can read. When tickets are closed, the bot exports the full ticket history and sends it to that configured transcript channel. This can expose private ticket messages to users who could not read the original ticket channel. This issue has been patched in version 1.0.4.
Published: 2026-06-11
Score: 5.7 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Quest Bot transmits closed ticket histories to a transcript channel configured by a bot administrator. If the transcript channel is one that the administrator can read, the entire ticket content—including private messages—is posted there. This exposes confidential information to users who otherwise could not view the original ticket. The flaw is a data‑exposure issue (CWE‑200).

Affected Systems

The vulnerability affects all releases of Quest Bot by duck‑organization prior to version 1.0.4. Users of earlier builds must check the version they are running.

Risk and Exploitability

With a CVSS score of 5.7, the risk level is moderate. No EPSS data is available and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is a user with permission to configure bot settings; by selecting an inappropriate transcript channel, the attacker can cause private tickets to be published to a broader audience. The exploitation requires only configuration privileges, making it relatively straightforward if such privileges are given to a malicious participant.

Generated by OpenCVE AI on June 11, 2026 at 22:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Quest Bot to version 1.0.4 or later, which removes the ability to set a transcript channel that can be read by unauthorized users.
  • If an upgrade is not immediately possible, restrict the transcript channel configuration so that it points to a channel with no read permissions for private ticket owners or delete the setting altogether.
  • Review and tighten bot permission assignments so that only trusted administrators can configure bot settings and access ticket transcript channels.

Generated by OpenCVE AI on June 11, 2026 at 22:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 11 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 11 Jun 2026 19:00:00 +0000

Type Values Removed Values Added
Description Quest Bot is an opensource modern Discord Bot built for moderation, utilities and support. Prior to version 1.0.4, a user who can configure bot settings can set the ticket transcript channel to a channel they can read. When tickets are closed, the bot exports the full ticket history and sends it to that configured transcript channel. This can expose private ticket messages to users who could not read the original ticket channel. This issue has been patched in version 1.0.4.
Title Quest Bot: Ticket transcripts can disclose private ticket contents to a lower-visibility channel
Weaknesses CWE-200
References
Metrics cvssV4_0

{'score': 5.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-11T19:36:40.044Z

Reserved: 2026-05-18T21:25:34.498Z

Link: CVE-2026-47177

cve-icon Vulnrichment

Updated: 2026-06-11T19:36:31.098Z

cve-icon NVD

Status : Deferred

Published: 2026-06-11T19:16:46.047

Modified: 2026-06-11T20:58:18.123

Link: CVE-2026-47177

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-11T22:30:09Z

Weaknesses
  • CWE-200

    Exposure of Sensitive Information to an Unauthorized Actor