CVE-2026-47189

Quest Bot: AutoMod removal can delete rules from another guild by global rule ID

CVSS 8.3 HIGHEPSS 0.3%CWE-639

Vexday Risk Score

21Bajo

Decisión SSVC (CISA)

Track

Sin señal de explotación → monitorear

CVSS 8.3EPSS 0.3%KEV nãoPoC —Nuclei —Metasploit —Patch —

Ciclo de vida

11 jun 2026Publicada en NVD

Recomendación: Monitorear — sin señal de explotación por ahora.

Quest Bot is an opensource modern Discord Bot built for moderation, utilities and support. Prior to version 1.0.5, the AutoMod remove flow looks up and deletes rules by global database ID without verifying that the rule belongs to the guild where the command is executed. A user can learn a victim guild’s AutoMod rule ID through autocomplete, then remove that rule from another guild where they have Manage Server. This issue has been patched in version 1.0.5.

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N

Productos afectados

duck-organization · quest-bot

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →

Referencias

https://github.com/duck-organization/questbot/releases/tag/questbot-v1.0.5 https://github.com/duck-organization/questbot/security/advisories/GHSA-6rv9-6p24-w955