VYPR
← All advisories
Medium severityNVD Advisory· Published Jun 11, 2026· Updated Jun 11, 2026

CVE-2026-47176

CVE-2026-47176

Description

Quest Bot prior to 1.0.4 allows users with bot settings access to leak private channel message contents via logging feature.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Quest Bot prior to 1.0.4 allows users with bot settings access to leak private channel message contents via logging feature.

Vulnerability

Quest Bot's logging module, prior to version 1.0.4, allows users who can configure bot settings (e.g., Manage Server permission) to enable logging and choose a logging channel they can read. The bot then logs deleted and edited message contents from every channel it can see, including private channels the configuring user cannot access. This affects all versions before 1.0.4 [1][2].

Exploitation

An attacker with Manage Server permission (or equivalent) can run /settings, enable the logging module, and set the logging channel to a channel they can read (e.g., #public-logs). When a message is edited or deleted in a private channel the bot can see (e.g., #staff-private), the bot posts a log embed in the configured channel containing the private channel reference and the message content. The attacker can then read content from a channel they could not directly access [2].

Impact

The attacker gains unauthorized access to message contents from private channels, potentially exposing staff discussions, moderation notes, or other sensitive server content. This is an information disclosure vulnerability [2].

Mitigation

The vulnerability is fixed in version 1.0.4, released on 2026-06-11. Users should update to questbot-v1.0.4 [1][2]. No workarounds are documented in the available references.

References
  1. Release questbot-v1.0.4 · duck-organization/questbot
  2. Logging module can disclose private-channel message contents to a lower-visibility log channel

AI Insight generated on Jun 11, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Missing access control check: the bot logs message contents from all visible channels into a configured logging channel without verifying that the logging channel's viewers are authorized to see the source channel."

Attack vector

An attacker with the Manage Server permission (or equivalent bot settings access) enables logging via `/settings` and selects a logging channel they can read, such as `#public-logs`. The bot then logs deleted and edited message contents from every channel it can see, including private channels like `#staff-private` that the attacker cannot directly access. When a staff member edits or deletes a message in the private channel, the bot posts an embed containing the channel reference and the message content into the attacker-visible logging channel [ref_id=1].

Affected code

The logging module in Quest Bot (settings configuration, message delete logging, and message edit logging) is the vulnerable component. The bot sends message deletion/edit logs including message content into the configured logging channel without verifying whether viewers of that channel are also permitted to view the source channel [ref_id=1].

What the fix does

The patch in version 1.0.4 addresses the missing access control check in the logging feature. The fix ensures that before logging a deleted or edited message, the bot verifies that the user who configured the logging channel has permission to view the source channel where the message was originally posted. This prevents private-channel message contents from being leaked into a lower-visibility logging channel [ref_id=1].

Preconditions

  • authAttacker must have permission to run /settings (e.g., Manage Server permission)
  • configBot must be able to view a private channel (e.g., #staff-private) that the attacker cannot access
  • inputAttacker must be able to view the chosen logging channel (e.g., #public-logs)

Reproduction

Setup assumptions: - Bot can view #staff-private. - Attacker has permission to run /settings, such as Manage Server. - Attacker cannot view #staff-private. - Attacker can view #public-logs.

Steps: 1. As the attacker, run /settings. 2. Select the logging module. 3. Enable logging. 4. Set the logging channel to #public-logs. 5. From a separate staff account, send this in #staff-private: `private staff secret` 6. Edit the message to: `edited private staff secret` 7. Or delete the message.

Expected result: The bot posts a log embed in #public-logs containing the private channel reference and the deleted or edited message content. [ref_id=1]

Generated on Jun 11, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

2

News mentions

0

No linked articles in our index yet.