CVE-2026-49347
Description
Quest Bot before 1.1.8 lets any user repeatedly create tickets without limit, flooding channels.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Quest Bot before 1.1.8 lets any user repeatedly create tickets without limit, flooding channels.
Vulnerability
In Quest Bot versions prior to 1.1.8, the ticket creation mechanism in apps/bot/src/interaction-handlers/ticket/createTicketHandler.ts and apps/bot/src/lib/tickets.ts does not check if the user already has an open ticket and does not enforce any cooldown or per-user limit. This allows any user with access to the ticket panel to create an arbitrary number of ticket channels. The vulnerability exists in all versions before 1.1.8 [2].
Exploitation
An attacker who can access the ticket panel repeatedly clicks the "Create Ticket" button, submits the modal (optionally with a reason), and observes a new ticket channel created each time. By repeating this process, the attacker can generate many channels without restriction [2].
Impact
Successful exploitation clutters the server with attacker-created channels, disrupts staff workflows, and can cause the guild to hit Discord channel or category limits, degrading the availability of the ticket system [2].
Mitigation
The vulnerability has been patched in version 1.1.8 [1]. Users should upgrade to this version immediately. No other workarounds are documented. If upgrading is not possible, consider restricting access to the ticket panel.Discord
AI Insight generated on Jun 12, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2(expand)+ 1 more
- (no CPE)
- (no CPE)range: <1.1.8
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing per-user open-ticket check and missing cooldown allow any user to create an unlimited number of ticket channels."
Attack vector
An attacker who can access the ticket panel clicks the Create Ticket button, submits a reason through the modal, and observes that a new Discord channel is created. Repeating this flow with different reasons (e.g., `test-1`, `test-2`) produces a separate ticket channel each time. There is no cooldown, active-ticket limit, or guild-wide creation limit enforced, so the attacker can repeatedly consume guild channel resources. [ref_id=1]
Affected code
The vulnerability involves `apps/bot/src/interaction-handlers/ticket/createTicketHandler.ts` (the `ButtonHandler.run` function) and `apps/bot/src/lib/tickets.ts` (the `createTicket` function). The ticket handler accepts every create-ticket button click without checking whether the same user already has an open ticket, and the database helper increments the ticket number and creates a ticket record without verifying against existing open tickets for the same `guildId + userId`.
What the fix does
The patch in version 1.1.8 adds a check to prevent ticket creation if the same user already has an open ticket in the same guild and also applies a cooldown to limit repeated submissions. This closes the resource-exhaustion vector by ensuring each user can only have one active ticket at a time and cannot rapidly resubmit the form.
Preconditions
- configTicket system is configured and a ticket panel exists with the Create Ticket button.
- configThe bot has permission to create channels.
- authThe attacker can access the ticket panel (no special authentication bypass needed).
- inputThe attacker submits the ticket modal with a reason.
Generated on Jun 12, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.