Description
Quest Bot is an opensource modern Discord Bot built for moderation, utilities and support. Prior to version 1.0.5, the AutoMod remove flow looks up and deletes rules by global database ID without verifying that the rule belongs to the guild where the command is executed. A user can learn a victim guild’s AutoMod rule ID through autocomplete, then remove that rule from another guild where they have Manage Server. This issue has been patched in version 1.0.5.
Published: 2026-06-11
Score: 8.3 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Quest Bot’s AutoMod rule removal function deleted rules by a global database ID without first ensuring the rule belonged to the guild where the command was executed, allowing a user with Manage Server permissions to target and delete moderation rules in another guild. This flaw effectively gives a privileged user the ability to erase or alter safeguards in a guild they do not own, compromising the integrity and availability of moderation controls.

Affected Systems

The vulnerability affects Discord bots distributed by duck‑organization under the Quest Bot project, prior to version 1.0.5. Users running any earlier release that executed the AutoMod removal command on a server where they have Manage Server authority are at risk.

Risk and Exploitability

The CVSS score of 8.3 indicates a high severity. EPSS data is not available, but the flaw does not require special conditions beyond having Manage Server permissions, which is commonly granted to editors or staff. Because the vulnerability is already patched in the latest release, exploitation would only occur on systems that have not yet applied the patch. The KEV status is not listed, so it is not part of the Known Exploited Vulnerabilities catalog, but organizations should still treat it with urgency.

Generated by OpenCVE AI on June 11, 2026 at 22:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Quest Bot to version 1.0.5 or later, which validates the rule’s guild association before removal.
  • If an immediate upgrade is not possible, temporarily revoke or limit Manage Server permissions for bot operators until the patch can be applied.
  • Disable or restrict the bot’s autocomplete feature to prevent exposure of global rule IDs to users who should not have them.

Generated by OpenCVE AI on June 11, 2026 at 22:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 12 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Duck-organization
Duck-organization quest-bot
Vendors & Products Duck-organization
Duck-organization quest-bot

Thu, 11 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Thu, 11 Jun 2026 19:00:00 +0000

Type Values Removed Values Added
Description Quest Bot is an opensource modern Discord Bot built for moderation, utilities and support. Prior to version 1.0.5, the AutoMod remove flow looks up and deletes rules by global database ID without verifying that the rule belongs to the guild where the command is executed. A user can learn a victim guild’s AutoMod rule ID through autocomplete, then remove that rule from another guild where they have Manage Server. This issue has been patched in version 1.0.5.
Title Quest Bot: AutoMod removal can delete rules from another guild by global rule ID
Weaknesses CWE-639
References
Metrics cvssV4_0

{'score': 8.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N'}


Subscriptions

Duck-organization Quest-bot
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-11T19:02:22.869Z

Reserved: 2026-05-18T22:07:37.435Z

Link: CVE-2026-47189

cve-icon Vulnrichment

Updated: 2026-06-11T19:02:09.869Z

cve-icon NVD

Status : Deferred

Published: 2026-06-11T19:16:46.637

Modified: 2026-06-11T20:58:18.123

Link: CVE-2026-47189

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-12T20:21:57Z

Weaknesses
  • CWE-639

    Authorization Bypass Through User-Controlled Key