Description
Quest Bot is an opensource Discord Bot. Prior to version 1.1.6, the purge and slowmode commands check only guild-level permissions on the invoking member. They do not check the member’s effective permissions in the channel where the command is run. A user denied channel-level moderation permissions can still delete messages or change slowmode through the bot. This issue has been patched in version 1.1.6.
Published: 2026-06-12
Score: 7.1 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Quest Bot, an open‑source Discord bot, fails to validate per‑channel permissions for the purge and slowmode commands in versions prior to 1.1.6. Without checking a member’s effective permissions within the channel, a user lacking moderation rights can still delete channel messages or alter the slow‑mode setting through the bot. This breach of access control allows an attacker with limited permissions to perform actions normally reserved for moderators, potentially disrupting channels or deleting legitimate content.

Affected Systems

Applicable to the Quest Bot project hosted by duck‑organization on Discord. Any installations of Quest Bot older than version 1.1.6 are affected; the vulnerability was resolved in release v1.1.6.

Risk and Exploitability

With a CVSS score of 7.1, the vulnerability presents moderate severity. The EPSS score is not available, and the issue is not listed in the CISA KEV catalog, indicating it has not yet been exploited in the wild. The likely attack vector is through the Discord platform, where an attacker uses the bot’s purge or slowmode command to bypass channel‑level moderation restrictions. Exploitation requires only a Discord user with the bot’s command permissions; no additional foothold or elevated privileges are needed.

Generated by OpenCVE AI on June 12, 2026 at 13:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Quest Bot to version 1.1.6 or later to apply the permission check fix.
  • Restrict the bot’s role permissions on the server so it cannot perform moderation actions in channels where it is not required.
  • Review and adjust channel permission overwrites to ensure that non‑moderator roles do not have unintended rights when interacting with the bot.

Generated by OpenCVE AI on June 12, 2026 at 13:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 12 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Duck-organization
Duck-organization questbot
Vendors & Products Duck-organization
Duck-organization questbot

Fri, 12 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 12 Jun 2026 12:30:00 +0000

Type Values Removed Values Added
Description Quest Bot is an opensource Discord Bot. Prior to version 1.1.6, the purge and slowmode commands check only guild-level permissions on the invoking member. They do not check the member’s effective permissions in the channel where the command is run. A user denied channel-level moderation permissions can still delete messages or change slowmode through the bot. This issue has been patched in version 1.1.6.
Title Quest Bot: Per-channel permission overwrite bypass in purge and slowmode commands.
Weaknesses CWE-863
References
Metrics cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:H/SA:L'}

Subscriptions

Duck-organization Questbot
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-12T12:26:16.745Z

Reserved: 2026-05-18T22:07:37.435Z

Link: CVE-2026-47195

cve-icon Vulnrichment

Updated: 2026-06-12T12:26:13.220Z

cve-icon NVD

Status : Deferred

Published: 2026-06-12T13:16:32.930

Modified: 2026-06-12T15:56:54.563

Link: CVE-2026-47195

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-12T20:20:38Z

Weaknesses