CVE-2026-47176
Deferred Deferred - Pending Action

Information Disclosure in Quest Bot

Vulnerability report for CVE-2026-47176, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-11

Last updated on: 2026-06-11

Assigner: GitHub, Inc.

Description

Quest Bot is an opensource modern Discord Bot built for moderation, utilities and support. Prior to version 1.0.4, a user who can configure bot settings can enable logging and choose a logging channel they can read. The bot then logs deleted and edited message contents from every channel it can see, including private channels the configuring user cannot access. This issue has been patched in version 1.0.4.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-11
Last Modified
2026-06-11
Generated
2026-07-02
AI Q&A
2026-06-12
EPSS Evaluated
2026-06-30
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
duck_organization questbot to 1.0.4 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-47176 is a vulnerability in the Quest Bot, an open-source Discord bot used for moderation and utilities. Before version 1.0.4, a user who has permission to configure the bot's settings can enable logging and select a logging channel they have access to. The bot then logs deleted and edited message contents from all channels it can see, including private channels that the configuring user cannot access.

This means that private messages from channels that the user does not have permission to view can be exposed in a logging channel that the user can read. An attacker with Manage Server permissions can exploit this to expose private channel messages, such as staff discussions or deleted edits, by enabling logging to a public channel they can access.

This issue has been fixed in version 1.0.4 of Quest Bot.

Impact Analysis

This vulnerability can lead to the exposure of sensitive and private information from Discord channels that a user should not have access to. Specifically, deleted or edited messages from private channels can be logged and sent to a channel visible to the attacker or unauthorized users.

If an attacker has Manage Server permissions, they can enable logging to a public or less secure channel, causing confidential discussions or private messages to be leaked. This compromises confidentiality and can lead to information disclosure within your Discord server.

Detection Guidance

This vulnerability occurs when a user with access to configure Quest Bot settings enables logging to a channel they can read, causing the bot to log deleted or edited messages from all accessible channels, including private ones.

To detect this vulnerability on your system, you should check if the Quest Bot version is older than 1.0.4 and if logging is enabled to a channel accessible by the configuring user.

Since the bot logs deleted or edited messages from all channels it can see, including private channels, monitoring the logging channel for unexpected message contents from private channels can indicate exploitation.

Specific commands are not provided in the available resources, but you can verify the Quest Bot version and logging configuration within your Discord server settings or bot configuration files.

Mitigation Strategies

The primary mitigation step is to upgrade Quest Bot to version 1.0.4 or later, where this vulnerability has been patched.

Additionally, review and restrict permissions for users who can configure bot settings, ensuring that only trusted users have the ability to enable logging or select logging channels.

Avoid enabling logging to channels that are accessible by users who should not have access to private channel message contents.

Compliance Impact

The vulnerability allows exposure of private and potentially sensitive message contents from private Discord channels to users who should not have access, by logging deleted or edited messages to channels readable by unauthorized users.

This exposure of sensitive information could lead to non-compliance with data protection regulations such as GDPR or HIPAA, which require strict controls on access to personal or sensitive data and mandate minimizing unauthorized disclosure.

Because the bot logs private messages to channels accessible by users without proper permissions, it risks violating confidentiality requirements and data privacy principles embedded in these standards.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-47176. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart