CVE-2026-47177

An attacker with the ability to configure bot settings (e.g., Manage Server permission) sets the ticket transcript channel to a channel they can read, such as `#public-logs`. When any ticket is closed, the bot exports the complete ticket history—including ticket reason, participant tags, message content, timestamps, and attachment URLs—and posts the transcript to that attacker-readable channel. This allows the attacker to read private ticket conversations they could not access directly [ref_id=1]. The precondition is that the attacker has settings-level access and the bot can send files in the chosen transcript channel.

The vulnerability resides in `apps/bot/src/commands/utility/settings.ts` (ticket transcript channel configuration) and `apps/bot/src/interaction-handlers/ticket/removeTicketHandler.ts` (functions `ButtonHandler.run` and `generateTranscript`). The bot fetches the full ticket channel history and sends a transcript to the configured `ticketTranscriptChannelId` without verifying that the transcript channel's readers were also permitted to view the original ticket channel [ref_id=1].

The patch (version 1.0.4) adds an authorization check before sending the transcript: the bot now verifies that every member who can read the transcript channel also had permission to read the original ticket channel. If the check fails, the transcript is not sent to that channel, preventing disclosure of private ticket contents to unauthorized viewers. The advisory does not include the exact diff, but the fix closes the privilege escalation by enforcing channel-level access control on transcript delivery [ref_id=1].