CVE-2026-47163
Deferred Deferred - Pending Action

Automated Message Deletion in Quest Bot

Vulnerability report for CVE-2026-47163, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-11

Last updated on: 2026-06-11

Assigner: GitHub, Inc.

Description

Quest Bot is an opensource modern Discord Bot built for moderation, utilities and support. Prior to version 1.0.1, any guild member who can invoke slash commands can use /automod add, /automod remove, and /automod list because the command has no Discord default permission requirement and no runtime moderator permission check. An attacker can add a rule matching common text and make the bot delete other users’ messages. This issue has been patched in version 1.0.1.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-11
Last Modified
2026-06-11
Generated
2026-07-02
AI Q&A
2026-06-12
EPSS Evaluated
2026-06-30
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
duck_organization questbot to 1.0.1 (exc)
duck_organization questbot 1.0.1

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The vulnerability in Quest Bot allows any guild member on a Discord server to use slash commands like /automod add, /automod remove, and /automod list without requiring moderator permissions or authorization checks.

Because of this, an attacker can add broad AutoMod rules, such as rules matching common text or single letters, which causes the bot to delete legitimate messages from other users.

This issue is due to missing authorization checks and affects versions prior to 1.0.1. It has been patched in version 1.0.1.

Impact Analysis

This vulnerability can allow normal guild members to disrupt communication within a Discord server by deleting legitimate messages from other users.

Attackers can weaken or bypass existing moderation by altering server-wide AutoMod rules, potentially causing confusion, loss of important information, or abuse of the moderation system.

Because the attack requires low complexity and no user interaction, it poses a high risk to server stability and trust.

Detection Guidance

This vulnerability can be detected by checking if unprivileged guild members are able to invoke the slash commands /automod add, /automod remove, and /automod list without proper moderator permissions.

To detect exploitation or presence of this vulnerability, you can monitor Discord server logs or bot command usage logs for unusual or unauthorized use of these AutoMod commands by non-moderator users.

Since this is a Discord bot issue, detection commands would be specific to the bot's logging or Discord server audit logs rather than traditional network commands.

For example, you can review the bot's command invocation logs or Discord audit logs for entries where non-moderator users have executed /automod add or /automod remove commands.

Mitigation Strategies

The immediate mitigation step is to upgrade the Quest Bot to version 1.0.1 or later, where this vulnerability has been patched.

Until the upgrade can be performed, restrict the use of /automod add, /automod remove, and /automod list commands to trusted moderators only by implementing manual permission checks or disabling these commands for regular guild members.

Additionally, monitor and remove any suspicious AutoMod rules that may have been added by unauthorized users to prevent disruption of server communication.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-47163. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart