CVE-2026-47196
Deferred Deferred - Pending Action
Automod Rule Bypass in Quest Bot Leads to Message Deletion

Publication date: 2026-06-12

Last updated on: 2026-06-12

Assigner: GitHub, Inc.

Description
Quest Bot is an opensource Discord Bot. Prior to version 1.1.6, the automod add command trims user input but does not reject an empty result. Adding a rule containing only whitespace stores an empty word. The message listener later checks content.includes(""), which is always true, causing the bot to delete every non-bot guild message. This issue has been patched in version 1.1.6.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-12
Last Modified
2026-06-12
Generated
2026-06-12
AI Q&A
2026-06-12
EPSS Evaluated
N/A
NVD
CVE-2026-47196
EUVD
EUVD-2026-36412
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
duck-organization questbot to 1.1.6 (exc)
duck-organization questbot 1.1.6
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-47196 is a vulnerability in the Quest Bot, an open-source Discord bot, affecting versions 1.1.5 and earlier. The issue occurs because the automod add command trims user input but does not reject inputs that become empty after trimming. If a user adds a rule containing only whitespace, it stores an empty string as the automod word.

Later, the bot's message listener checks if any message content includes this empty string, which is always true. As a result, the bot deletes every non-bot guild message, causing widespread disruption.

This flaw allows a user with Manage Guild permissions to disrupt normal chat across the server by creating an empty automod rule, even if they do not have direct message management permissions. The vulnerability was patched in version 1.1.6.

Impact Analysis

This vulnerability can severely disrupt the normal operation of a Discord server using the Quest Bot. Because the bot deletes every non-bot message when an empty automod rule is added, it effectively silences all user communication in the guild.

A user with Manage Guild permissions can exploit this to cause denial of service by preventing users from sending messages, impacting the availability and integrity of the server's communication.

Detection Guidance

This vulnerability can be detected by checking if the Quest Bot automod rules contain any entries that are empty strings or consist solely of whitespace characters.

Since the issue arises when a rule containing only whitespace is added, you can inspect the automod rules configuration or database for such entries.

There are no specific commands provided in the resources, but a general approach would be to query the bot's automod rules for empty or whitespace-only strings.

  • Review the automod rules configuration files or database entries for empty or whitespace-only rules.
  • Monitor the bot's logs for unusual mass deletion of non-bot guild messages, which may indicate exploitation.
Mitigation Strategies

The immediate mitigation step is to upgrade the Quest Bot to version 1.1.6 or later, where this vulnerability has been patched.

Until the upgrade is applied, avoid adding automod rules that contain only whitespace, as these trigger the vulnerability.

Additionally, restrict Manage Guild permissions to trusted users only, since users with this permission can exploit the vulnerability by adding malicious automod rules.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-47196. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart