Description
Quest Bot is an opensource Discord Bot. Prior to version 1.1.8, any user who can access the ticket panel can repeatedly create new ticket channels. The latest release still creates a new database ticket and Discord channel for every completed ticket modal submission, without checking whether the same user already has an open ticket and without applying a cooldown. This issue has been patched in version 1.1.8.
Published: 2026-06-12
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Quest Bot allowed any user with access to the ticket panel to create an arbitrary number of ticket channels with no per‑user limit or cooldown. Each request results in a new database record and a new Discord channel. The lack of limits creates a risk of resource exhaustion, which can degrade bot performance or bring the hosting system offline if the user or a malicious actor floods the system with ticket requests. This is classified as an unchecked resource consumption flaw (CWE‑770).

Affected Systems

Duck Organization’s Quest Bot, any installation running a version of Quest Bot older than 1.1.8. The vulnerability is present whenever the ticket creation functionality is exposed, regardless of user role level if access to the ticket panel is granted. No specific OS or platform limitation is mentioned.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate severity. Because the bot processes modals from any user with panel access, the attack vector is straightforward through normal bot interactions and does not require privileged or lateral movement. EPSS data are not available, but the issue is not listed in the CISA KEV catalog, suggesting no widely known exploitation in the wild. The risk remains that an attacker could generate a large number of open tickets, consuming memory, database resources, or Discord API limits, potentially resulting in service degradation or denial of service for legitimate users.

Generated by OpenCVE AI on June 12, 2026 at 13:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Quest Bot to version 1.1.8 or later to enforce per‑user limits and cooldowns
  • Restrict ticket panel access to a limited set of trusted users or roles
  • Implement rate‑limiting or monitoring to detect abnormal ticket creation activity

Generated by OpenCVE AI on June 12, 2026 at 13:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 12 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 12 Jun 2026 12:30:00 +0000

Type Values Removed Values Added
Description Quest Bot is an opensource Discord Bot. Prior to version 1.1.8, any user who can access the ticket panel can repeatedly create new ticket channels. The latest release still creates a new database ticket and Discord channel for every completed ticket modal submission, without checking whether the same user already has an open ticket and without applying a cooldown. This issue has been patched in version 1.1.8.
Title Quest Bot: Ticket creation has no per-user open-ticket limit or cooldown
Weaknesses CWE-770
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-12T13:41:50.369Z

Reserved: 2026-05-29T14:35:45.903Z

Link: CVE-2026-49347

cve-icon Vulnrichment

Updated: 2026-06-12T13:41:07.627Z

cve-icon NVD

Status : Deferred

Published: 2026-06-12T13:16:34.030

Modified: 2026-06-12T15:56:54.563

Link: CVE-2026-49347

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-12T13:30:27Z

Weaknesses
  • CWE-770

    Allocation of Resources Without Limits or Throttling