Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1336 CNY

100%

CVE-2026-47189— Quest Bot: AutoMod removal can delete rules from another guild by global rule ID

AI Predicted 8.1 Difficulty: Moderate EPSS 0.31% · P22

Affected Version Matrix 1

VendorProductVersion RangeStatus
duck-organizationquest-bot< 1.0.5affected
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-47189

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
Quest Bot: AutoMod removal can delete rules from another guild by global rule ID
Source: NVD (National Vulnerability Database)
Vulnerability Description
Quest Bot is an opensource modern Discord Bot built for moderation, utilities and support. Prior to version 1.0.5, the AutoMod remove flow looks up and deletes rules by global database ID without verifying that the rule belongs to the guild where the command is executed. A user can learn a victim guild’s AutoMod rule ID through autocomplete, then remove that rule from another guild where they have Manage Server. This issue has been patched in version 1.0.5.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
通过用户控制密钥绕过授权机制
Source: NVD (National Vulnerability Database)
Vulnerability Title
Quest Bot 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Quest Bot是Duck Organization开源的一款多功能Discord社区管理机器人。 Quest Bot 1.0.5之前版本存在安全漏洞,该漏洞源于AutoMod删除流程未验证规则所属服务器,可能导致用户从其他服务器删除规则。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
duck-organizationquest-bot < 1.0.5 -

II. Public POCs for CVE-2026-47189

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2026-47189

登录查看更多情报信息。

Vendor Advisories for CVE-2026-47189 (1)

Vendor Pages for CVE-2026-47189 (1)

Same Patch Batch · duck-organization · 2026-06-11 · 11 CVEs total

CVE-2026-47188Quest Bot: Unban and unwarn reason fields still allow bot-powered mass mentions.
CVE-2026-47163Quest Bot: Unprivileged users can create and remove AutoMod rules.
CVE-2026-47175Quest Bot: Moderation reason fields allow bot-powered `@everyone` / `@here` pings
CVE-2026-47177Quest Bot: Ticket transcripts can disclose private ticket contents to a lower-visibility c
CVE-2026-47173Quest Bot: Ticket reason allows mass-mention injection
CVE-2026-47174Duck Site: Untrusted pull request code can trigger privileged production deployment
CVE-2026-47176Quest Bot: Logging module can disclose private-channel message contents to a lower-visibil
CVE-2026-47171Quest Bot: Reminder messages allow stored mass mentions through `@everyone` and `@here`
CVE-2026-47172Quest Bot: Untrusted pull request code can be built and deployed by privileged `workflow_r
CVE-2026-47169Quest Bot: Manage Server users can configure AutoRole to grant Administrator to controlled

IV. Related Vulnerabilities

V. Comments for CVE-2026-47189

No comments yet


Leave a comment