CVE-2026-47195: CWE-863: Incorrect Authorization in duck-organization questbot
Quest Bot is an opensource Discord Bot. Prior to version 1.1.6, the purge and slowmode commands check only guild-level permissions on the invoking member. They do not check the member’s effective permissions in the channel where the command is run. A user denied channel-level moderation permissions can still delete messages or change slowmode through the bot. This issue has been patched in version 1.1.6.
AI Analysis
Technical Summary
CVE-2026-47195 describes an incorrect authorization vulnerability (CWE-863) in the Quest Bot Discord bot by duck-organization. Before version 1.1.6, the bot's purge and slowmode commands verified only the invoking member's guild-level permissions, neglecting their effective permissions in the specific channel. Consequently, users denied channel-level moderation permissions could still perform message deletions and slowmode changes through the bot. This flaw was addressed and patched in version 1.1.6.
Potential Impact
Users lacking channel-level moderation permissions could bypass intended restrictions and perform moderation actions such as deleting messages or changing slowmode settings via the bot. This could lead to unauthorized message removal or channel configuration changes, impacting channel integrity and moderation controls.
Mitigation Recommendations
Upgrade Quest Bot to version 1.1.6 or later, where the authorization checks for purge and slowmode commands properly verify channel-level permissions. No additional mitigation is required once the bot is updated.
CVE-2026-47195: CWE-863: Incorrect Authorization in duck-organization questbot
Description
Quest Bot is an opensource Discord Bot. Prior to version 1.1.6, the purge and slowmode commands check only guild-level permissions on the invoking member. They do not check the member’s effective permissions in the channel where the command is run. A user denied channel-level moderation permissions can still delete messages or change slowmode through the bot. This issue has been patched in version 1.1.6.
CVSS v4.0
Score 7.1high
Affected software
pkg:github/duck-organization/questbotRun on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-47195 describes an incorrect authorization vulnerability (CWE-863) in the Quest Bot Discord bot by duck-organization. Before version 1.1.6, the bot's purge and slowmode commands verified only the invoking member's guild-level permissions, neglecting their effective permissions in the specific channel. Consequently, users denied channel-level moderation permissions could still perform message deletions and slowmode changes through the bot. This flaw was addressed and patched in version 1.1.6.
Potential Impact
Users lacking channel-level moderation permissions could bypass intended restrictions and perform moderation actions such as deleting messages or changing slowmode settings via the bot. This could lead to unauthorized message removal or channel configuration changes, impacting channel integrity and moderation controls.
Mitigation Recommendations
Upgrade Quest Bot to version 1.1.6 or later, where the authorization checks for purge and slowmode commands properly verify channel-level permissions. No additional mitigation is required once the bot is updated.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-18T22:07:37.435Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a2bfa79e617e2d83469ab12
Added to database: 6/12/2026, 12:24:25 PM
Last enriched: 6/12/2026, 12:39:28 PM
Last updated: 6/12/2026, 1:57:57 PM
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.