Impact
Quest Bot’s AutoMod rule removal function deleted rules by a global database ID without first ensuring the rule belonged to the guild where the command was executed, allowing a user with Manage Server permissions to target and delete moderation rules in another guild. This flaw effectively gives a privileged user the ability to erase or alter safeguards in a guild they do not own, compromising the integrity and availability of moderation controls.
Affected Systems
The vulnerability affects Discord bots distributed by duck‑organization under the Quest Bot project, prior to version 1.0.5. Users running any earlier release that executed the AutoMod removal command on a server where they have Manage Server authority are at risk.
Risk and Exploitability
The CVSS score of 8.3 indicates a high severity. EPSS data is not available, but the flaw does not require special conditions beyond having Manage Server permissions, which is commonly granted to editors or staff. Because the vulnerability is already patched in the latest release, exploitation would only occur on systems that have not yet applied the patch. The KEV status is not listed, so it is not part of the Known Exploited Vulnerabilities catalog, but organizations should still treat it with urgency.
OpenCVE Enrichment