VYPR
← All advisories
High severityNVD Advisory· Published Jun 12, 2026· Updated Jun 12, 2026

CVE-2026-47195

CVE-2026-47195

Description

Quest Bot prior to 1.1.6 fails to check channel-level permissions for purge and slowmode commands, allowing users with only guild-level moderation perms to bypass channel-specific restrictions.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Quest Bot prior to 1.1.6 fails to check channel-level permissions for purge and slowmode commands, allowing users with only guild-level moderation perms to bypass channel-specific restrictions.

Vulnerability

Quest Bot versions prior to 1.1.6 contain an authorization bypass in the purge and slowmode moderation commands. The commands validate the invoking member’s permissions using only member.permissions.has(), which checks guild-level permissions rather than effective permissions in the channel where the command is executed [1]. This means channel-specific permission overwrites (e.g., denying ManageMessages or ManageChannels on a per-channel basis) are not considered. The vulnerable code is in apps/bot/src/commands/moderation/purge.ts and apps/bot/src/commands/moderation/slowmode.ts [1]. The fix is released in version 1.1.6 [2].

Exploitation

An attacker must have guild-level ManageMessages or ManageChannels permission but be denied those permissions in a specific channel via a channel overwrite. The attacker then invokes the purge or slowmode slash command in that channel. The bot, lacking an effective permission check, will execute channel.bulkDelete(), channel.messages.delete(), or channel.setRateLimitPerUser() on behalf of the attacker [1]. No additional authentication or user interaction beyond normal Discord slash command usage is required.

Impact

A successful exploit allows the attacker to delete any number of messages in the channel (up to the bot’s permission limit) or alter the channel’s slowmode setting, despite having those permissions explicitly denied at the channel level. This undermines channel-specific moderation controls and can be used to disrupt conversations or evade moderation [1].

Mitigation

Upgrade to Quest Bot version 1.1.6, which was released on an unknown date before June 12, 2026, and includes the fix [2]. The fix requires checking effective channel permissions using Discord’s channel permission calculation for the invoking member rather than only guild-level permissions [1]. No workarounds are documented; server administrators should ensure the bot is updated.

References
  1. Per-channel permission overwrite bypass in purge and slowmode commands.
  2. Release questbot-v1.1.6 · duck-organization/questbot

AI Insight generated on Jun 12, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Missing effective channel permission check in purge and slowmode commands allows bypass of channel-specific permission overwrites."

Attack vector

An attacker with guild-level Manage Messages or Manage Channels permissions, but who has been denied those same permissions via a channel-specific overwrite, can still execute the purge or slowmode slash commands in that channel. The bot's permission check only inspects the member's guild-level permissions, so it proceeds to call `channel.bulkDelete`, `channel.messages.delete`, or `channel.setRateLimitPerUser` on the restricted channel, bypassing the intended per-channel restriction [ref_id=1].

Affected code

The vulnerability resides in `apps/bot/src/commands/moderation/purge.ts` (PurgeCommand.chatInputRun) and `apps/bot/src/commands/moderation/slowmode.ts` (SlowmodeCommand.chatInputRun). Both commands use `member.permissions.has(...)` which only checks guild-level permissions, ignoring channel-specific permission overwrites. The commands then operate on `interaction.channel` without verifying the member's effective permissions on that channel.

What the fix does

The advisory does not include a patch diff, but states the fix is in version 1.1.6 [ref_id=1]. The remediation requires replacing the guild-level `member.permissions.has(...)` check with an effective channel permission check, such as using the channel's permission calculation for the invoking member (e.g., `channel.permissionsFor(member).has(...)`). This ensures that channel-specific overwrites that deny Manage Messages or Manage Channels are respected before allowing the bot to act on that channel.

Preconditions

  • authThe attacker must have guild-level Manage Messages (for purge) or Manage Channels (for slowmode) permissions.
  • configThe attacker must be denied the same permission via a channel-specific overwrite on the target channel.
  • configThe bot must have the necessary permissions (Manage Messages, Manage Channels) on the target channel.
  • inputThe attacker must be able to execute slash commands in the target channel.

Generated on Jun 12, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

2

News mentions

0

No linked articles in our index yet.