Quest Bot: AutoMod removal can delete rules from another guild...

8.3 / 10

HIGH

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N

Description

Quest Bot is an opensource modern Discord Bot built for moderation, utilities and support. Prior to version 1.0.5, the AutoMod remove flow looks up and deletes rules by global database ID without verifying that the rule belongs to the guild where the command is executed. A user can learn a victim guild’s AutoMod rule ID through autocomplete, then remove that rule from another guild where they have Manage Server. This issue has been patched in version 1.0.5.

Basic Information

ID CVE-2026-47189

Source GitHub_M

Published Jun 11, 2026 at 18:31

Affected Product

Vendor duck-organization

Product quest-bot

Version < 1.0.5

Affected Versions duck-organization quest-bot < 1.0.5

CWE Classification

CWE-639

References

{
    "lastseen": "",
    "description": "Quest Bot is an opensource modern Discord Bot built for moderation, utilities and support. Prior to version 1.0.5, the AutoMod remove flow looks up and deletes rules by global database ID without verifying that the rule belongs to the guild where the command is executed. A user can learn a victim guild\u2019s AutoMod rule ID through autocomplete, then remove that rule from another guild where they have Manage Server. This issue has been patched in version 1.0.5.",
    "published": "2026-06-11T18:31:24.753Z",
    "modified": "2026-06-11T18:31:24.753Z",
    "type": "cve",
    "title": "Quest Bot: AutoMod removal can delete rules from another guild by global rule ID",
    "source": "GitHub_M",
    "references": "https://github.com/duck-organization/questbot/security/advisories/GHSA-6rv9-6p24-w955\nhttps://github.com/duck-organization/questbot/releases/tag/questbot-v1.0.5",
    "id": "CVE-2026-47189",
    "bulletinFamily": "",
    "cwe": [
        "CWE-639"
    ],
    "cvelist": null,
    "sourceData": "duck-organization quest-bot < 1.0.5",
    "sourceHref": "",
    "cvss": {
        "score": 8.3,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "quest-bot",
    "version": "< 1.0.5",
    "vendor": "duck-organization",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Quest Bot: AutoMod removal can delete rules from another guild by global rule ID_CVE-2026-47189