CVE-2026-47195
Deferred Deferred - Pending Action
Permission Bypass in Quest Bot via Channel-Level Restrictions

Publication date: 2026-06-12

Last updated on: 2026-06-12

Assigner: GitHub, Inc.

Description
Quest Bot is an opensource Discord Bot. Prior to version 1.1.6, the purge and slowmode commands check only guild-level permissions on the invoking member. They do not check the member’s effective permissions in the channel where the command is run. A user denied channel-level moderation permissions can still delete messages or change slowmode through the bot. This issue has been patched in version 1.1.6.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-12
Last Modified
2026-06-12
Generated
2026-06-12
AI Q&A
2026-06-12
EPSS Evaluated
N/A
NVD
CVE-2026-47195
EUVD
EUVD-2026-36413
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
duck_organization questbot to 1.1.6 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability CVE-2026-47195 affects the Quest Bot, an open-source Discord bot, specifically versions 1.1.5 and earlier.

The issue is that the bot's purge and slowmode commands only check guild-level permissions of the user invoking the command, rather than their effective channel-level permissions.

This means that a user who is denied moderation permissions in a specific channel can still delete messages or change slowmode settings in that channel through the bot, bypassing intended restrictions.

The root cause is that the bot uses member.permissions.has() to check permissions at the guild level instead of verifying the user's effective permissions in the specific channel.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Impact Analysis

This vulnerability can allow unauthorized users to delete messages or change slowmode settings in Discord channels where they should not have such permissions.

As a result, moderation controls intended to restrict certain users at the channel level can be bypassed, potentially leading to misuse such as unauthorized message deletion or disruption of channel communication flow.

The severity of this issue is rated as High with a CVSS score of 7.1, indicating significant potential for misuse.

Detection Guidance

This vulnerability involves the QuestBot improperly checking only guild-level permissions instead of effective channel-level permissions for the purge and slowmode commands.

To detect this vulnerability, you can verify the version of QuestBot running in your environment. Versions 1.1.5 and earlier are affected, while version 1.1.6 and later have the fix.

There are no specific network or system commands provided to detect the vulnerability directly, but you can check the bot version with commands or queries relevant to your Discord bot management setup.

  • Check the QuestBot version by reviewing the bot's status or configuration in your Discord server or bot management interface.
  • Monitor usage of the purge and slowmode commands in channels where users have restricted channel-level permissions but broad guild-level permissions, to identify unauthorized actions.
Mitigation Strategies

The primary mitigation step is to upgrade QuestBot to version 1.1.6 or later, where the vulnerability has been patched.

Until the upgrade can be applied, consider restricting the use of the purge and slowmode commands to trusted users who have appropriate channel-level permissions.

Additionally, review and adjust Discord permissions to minimize the risk of misuse by limiting guild-level permissions for users who should not have moderation capabilities in specific channels.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-47195. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart