CVE-2026-49347
Deferred Deferred - Pending Action
Excessive Ticket Creation in Quest Bot

Publication date: 2026-06-12

Last updated on: 2026-06-12

Assigner: GitHub, Inc.

Description
Quest Bot is an opensource Discord Bot. Prior to version 1.1.8, any user who can access the ticket panel can repeatedly create new ticket channels. The latest release still creates a new database ticket and Discord channel for every completed ticket modal submission, without checking whether the same user already has an open ticket and without applying a cooldown. This issue has been patched in version 1.1.8.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-12
Last Modified
2026-06-12
Generated
2026-06-12
AI Q&A
2026-06-12
EPSS Evaluated
N/A
NVD
CVE-2026-49347
EUVD
EUVD-2026-36416
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
duck-organization questbot to 1.1.8 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-49347 is a vulnerability in the Quest Bot application (versions up to 1.1.7) that allows any user with access to the ticket panel to repeatedly create new ticket channels without any restrictions.

The system does not check whether the same user already has an open ticket and does not apply any cooldown or rate limiting. This leads to potential abuse where attackers can spam the server with multiple ticket channels.

The vulnerability stems from improper resource allocation without limits or throttling, affecting the ticket creation logic in the code.

Impact Analysis

This vulnerability can impact you by allowing attackers or users to spam your Discord server with multiple ticket channels.

Such spamming can clutter the server, disrupt staff workflows, and eventually hit Discord's channel limits.

As a result, the availability and usability of the ticket system can be degraded, making it harder for legitimate users to get support.

Detection Guidance

This vulnerability can be detected by monitoring the Discord server for an unusually high number of ticket channels being created by the same user in a short period of time.

Specifically, look for repeated creation of new ticket channels without any cooldown or checks for existing open tickets per user.

Since the issue affects the ticket creation handlers in the Quest Bot, you can also inspect logs or audit events related to ticket creation to identify if multiple tickets are being created by the same user rapidly.

Suggested commands or approaches include:

  • Use Discord server audit logs or bot logs to filter ticket creation events by user ID and count occurrences within a time window.
  • Run queries or scripts against the bot's database to find users with multiple open tickets or many tickets created recently.
  • Monitor Discord API rate limits or channel creation events to detect spikes that may indicate abuse.
Mitigation Strategies

The immediate mitigation step is to upgrade Quest Bot to version 1.1.8 or later, where this vulnerability has been patched.

If upgrading immediately is not possible, consider implementing manual rate limiting or monitoring to detect and restrict users who create excessive ticket channels.

Additionally, temporarily restricting access to the ticket panel to trusted users only can reduce the risk of abuse.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-49347. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart