CVE-2026-47163 HIGH

CVE-2026-47163: Quest Bot: Unprivileged users can create and remove AutoMod rules.

Vendor Duck-Organization
Product quest-bot
Weakness CWE-862 · Missing authorization
Published June 11, 2026
Last update June 11, 2026

CVSS base score

7.2/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Quest Bot is an opensource modern Discord Bot built for moderation, utilities and support. Prior to version 1.0.1, any guild member who can invoke slash commands can use /automod add, /automod remove, and /automod list because the command has no Discord default permission requirement and no runtime moderator permission check. An attacker can add a rule matching common text and make the bot delete other users’ messages. This issue has been patched in version 1.0.1.

Key dates

02Disclosure timeline

June 11, 2026 CVE published
June 11, 2026 Record updated