CVE-2026-47177
Deferred Deferred - Pending Action

Information Disclosure in Quest Bot

Vulnerability report for CVE-2026-47177, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-11

Last updated on: 2026-06-11

Assigner: GitHub, Inc.

Description

Quest Bot is an opensource modern Discord Bot built for moderation, utilities and support. Prior to version 1.0.4, a user who can configure bot settings can set the ticket transcript channel to a channel they can read. When tickets are closed, the bot exports the full ticket history and sends it to that configured transcript channel. This can expose private ticket messages to users who could not read the original ticket channel. This issue has been patched in version 1.0.4.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-11
Last Modified
2026-06-11
Generated
2026-07-02
AI Q&A
2026-06-12
EPSS Evaluated
2026-06-30
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
duck_organization questbot to 1.0.4 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

This vulnerability exposes private ticket messages and sensitive information to users who were not authorized to view the original ticket channel. Such unauthorized disclosure of confidential support or moderation conversations can lead to violations of data protection and privacy regulations.

Standards like GDPR and HIPAA require strict controls on access to personal and sensitive information. The exposure of private ticket contents to unauthorized users could result in non-compliance with these regulations, as it compromises confidentiality and potentially the integrity of personal data.

Therefore, organizations using affected versions of Quest Bot (<=1.0.3) may face compliance risks until the issue is patched in version 1.0.4.

Detection Guidance

This vulnerability involves the misconfiguration of the ticket transcript channel in Quest Bot versions prior to 1.0.4, where a user with bot settings configuration privileges can set the transcript channel to one they can read, potentially exposing private ticket messages.

To detect this vulnerability on your system, you should check the configuration of the ticket transcript channel in your Quest Bot setup and verify whether the transcript channel is accessible by users who should not have access to the original ticket channel.

Since the vulnerability is related to Discord channel permissions and bot configuration, detection involves inspecting the bot's settings and Discord channel permissions rather than network traffic or system commands.

Suggested steps include:

  • Review the Quest Bot configuration files or settings to identify the configured ticket transcript channel.
  • Check the Discord permissions for the transcript channel to see which users or roles have read access.
  • Compare the list of users/roles with access to the transcript channel against those who had access to the original ticket channels.

There are no specific commands provided in the available resources to detect this vulnerability automatically.

Executive Summary

CVE-2026-47177 is a vulnerability in the Quest Bot, an open-source Discord bot used for moderation and support. Before version 1.0.4, users who had permission to configure the bot settings could set the ticket transcript channel to any channel they could read. When a ticket was closed, the bot would export the entire ticket history, including private messages, reasons, participants, timestamps, and attachments, and send it to the configured transcript channel. This allowed sensitive ticket information to be exposed to users who did not have access to the original private ticket channel.

The root cause of the vulnerability is that the system did not verify whether users with access to the transcript channel also had access to the original ticket channel, enabling unauthorized disclosure of private information.

This issue was fixed in version 1.0.4 of Quest Bot.

Impact Analysis

This vulnerability can lead to unauthorized exposure of sensitive and private ticket information. An attacker with configuration privileges can redirect ticket transcripts to channels accessible by unauthorized users, potentially disclosing confidential support conversations, private messages, participant details, timestamps, and attachments.

Such exposure can compromise privacy, trust, and confidentiality within a Discord community or organization using Quest Bot for moderation and support.

Mitigation Strategies

The vulnerability in Quest Bot versions prior to 1.0.4 can be mitigated by upgrading the bot to version 1.0.4 or later, where the issue has been patched.

This update ensures that the bot verifies that users with access to the transcript channel also had access to the original ticket channel, preventing unauthorized exposure of private ticket messages.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-47177. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart