VYPR
← All advisories
High severityNVD Advisory· Published Jun 11, 2026· Updated Jun 11, 2026

CVE-2026-47163

CVE-2026-47163

Description

In Quest Bot <1.0.1, any guild member can add, remove, or list AutoMod rules via slash commands, enabling message deletion abuse.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

In Quest Bot <1.0.1, any guild member can add, remove, or list AutoMod rules via slash commands, enabling message deletion abuse.

Vulnerability

In Quest Bot prior to version 1.0.1, the /automod add, /automod remove, and /automod list slash commands are accessible to any guild member who can invoke slash commands, because the commands have no Discord default permission requirement and no runtime moderator permission check [1], [2]. An unprivileged attacker can add a rule matching common text (e.g., a single letter like e) and cause the bot to delete other users’ messages containing that text [2].

Exploitation

The attacker only needs to be a member of the Discord guild where the bot is installed, with no special permissions [2]. The attacker runs /automod add word:e (or any common substring). When another user sends a message containing that word, the bot deletes the message and posts a warning. The attacker can also list and remove existing AutoMod rules using /automod list and /automod remove word: [2]. No user interaction beyond normal message sending is required for the deletion effect.

Impact

A successful attacker can disrupt normal server communication by causing legitimate messages to be deleted, and can weaken existing moderation by removing configured AutoMod rules [2]. The impact is denial of service (disruption) and compromise of the intended moderation system, without requiring any privileged role.

Mitigation

The vulnerability is patched in version 1.0.1, released on 2026-06-11 (see the release tag) [1]. All users should upgrade to Quest Bot 1.0.1 or later. No workaround is mentioned in the available references.

References
  1. Release questbot-v1.0.1 · duck-organization/questbot
  2. Unprivileged users can create and remove AutoMod rules.

AI Insight generated on Jun 11, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Missing authorization check on AutoMod slash commands allows any guild member to create, list, or remove AutoMod rules."

Attack vector

An attacker joins the guild as a normal member with no moderation permissions and invokes `/automod add word:e` (or any common substring). The bot stores the rule and subsequently deletes any message containing that substring, then posts a warning tagging the author [ref_id=1]. The same lack of authorization also lets the attacker list and remove existing AutoMod rules via `/automod list` and `/automod remove` [ref_id=1].

Affected code

The `/automod add`, `/automod remove`, and `/automod list` slash commands lack a Discord default permission requirement and a runtime moderator permission check, making them accessible to any guild member who can invoke slash commands [ref_id=1].

What the fix does

The patch (version 1.0.1) adds a Discord default permission requirement and/or a runtime moderator permission check to the AutoMod commands so that only users with moderator-level permissions can add, remove, or list AutoMod rules [ref_id=1]. This closes the vulnerability by ensuring unprivileged guild members cannot alter server-wide moderation behavior.

Preconditions

  • configThe bot must be installed in a Discord guild with production command registration active.
  • configThe bot must have permission to delete messages in the target channel.
  • authThe attacker must be a guild member who can invoke slash commands (no moderator permissions required).
  • inputThe attacker sends a slash command payload via Discord's command interface.

Reproduction

Join the guild as a normal member with no moderation permissions. Run `/automod add word:e`. From another account (or by asking another member), send `hello everyone`. The bot deletes the message because it contains `e`, then posts a warning tagging the message author [ref_id=1].

Generated on Jun 11, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

2

News mentions

0

No linked articles in our index yet.