CVE-2026-47196
Description
An empty automod rule stored via insufficient input validation causes Quest Bot to delete every non-bot guild message.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An empty automod rule stored via insufficient input validation causes Quest Bot to delete every non-bot guild message.
Vulnerability
In Quest Bot versions prior to 1.1.6, the automod add command in apps/bot/src/commands/moderation/automod.ts trims user input but does not reject an empty result. Adding a rule containing only whitespace stores an empty string in the database via createAutoMod in apps/bot/src/lib/automod.ts. The message listener in apps/bot/src/listeners/messageCreate.ts subsequently checks content.includes(""), which is always true, causing the bot to delete every non-bot guild message [1]. The affected versions are all releases before 1.1.6.
Exploitation
An attacker needs the "Manage Guild" permission on the Discord server to run /automod add. They then supply only whitespace (one or multiple spaces) as the word argument. After the rule is added, any non-bot user's message triggers the deletion because content.includes("") is unconditionally true [1]. No other special conditions or race window are required.
Impact
A successful exploitation causes the bot to delete every non-bot message in the guild, effectively denying normal communication. The attacker can disrupt the entire server's chat functionality without requiring any further privileges [1].
Mitigation
The vulnerability is patched in version 1.1.6 [2]. Users should upgrade to Quest Bot version 1.1.6 or later. No workaround is available; the only remedy is applying the patch [1].
AI Insight generated on Jun 12, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2(expand)+ 1 more
- (no CPE)
- (no CPE)range: <1.1.6
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input validation on the trimmed automod word allows storage of an empty string, which causes a content-inclusion check to match every message."
Attack vector
An attacker with the `Manage Guild` permission executes the `/automod add` slash command and supplies only whitespace (e.g., a single space) as the `word` parameter. The bot trims the input to an empty string and stores it as a valid automod rule. After the rule is stored, every non-bot message sent in the guild triggers `content.includes("")`, which is always `true`, causing the bot to delete the message [ref_id=1]. No network-level or authentication bypass is required; the attacker simply uses a legitimate Discord slash-command option.
Affected code
The issue resides in `apps/bot/src/commands/moderation/automod.ts` where the `chatInputRun` method trims user input but does not validate that the result is non-empty before storing it via `createAutoMod`. The stored empty string then causes `content.includes("")` to always evaluate to `true` in `apps/bot/src/listeners/messageCreate.ts`, making every non-bot guild message match the automod rule and be deleted [ref_id=1].
What the fix does
The patch in version 1.1.6 adds a validation step after trimming the user-supplied `word` parameter in the automod add command. If the trimmed result is an empty string, the command rejects the input with an error instead of storing it. This prevents the creation of a rule whose `word` is the empty string, thereby ensuring that the `content.includes()` check in the message listener never matches every message unconditionally [ref_id=1].
Preconditions
- authAttacker must have the Manage Guild permission on the Discord server.
- configThe bot must have the `Manage Messages` permission to delete messages.
- configThe bot must be running with database persistence enabled and the automod feature active.
Generated on Jun 12, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.