CVE-2026-49347: CWE-770: Allocation of Resources Without Limits or Throttling in duck-organization questbot
Quest Bot, an open-source Discord bot by duck-organization, prior to version 1.1.8, allowed any user with access to the ticket panel to repeatedly create new ticket channels without limits or throttling. This could lead to resource exhaustion due to uncontrolled creation of ticket channels and database entries. The issue was patched in version 1.1.8, which introduced checks to prevent users from opening multiple tickets simultaneously and applied cooldowns.
AI Analysis
Technical Summary
CVE-2026-49347 describes a resource allocation vulnerability (CWE-770) in the Quest Bot Discord bot. Before version 1.1.8, the bot did not limit or throttle the creation of new ticket channels by users, allowing repeated creation of ticket channels and database tickets without restriction. This could lead to resource exhaustion or denial of service. The vulnerability was fixed in version 1.1.8 by adding checks to prevent users from having multiple open tickets and implementing cooldowns between ticket creations.
Potential Impact
Unrestricted creation of ticket channels and database entries by any user with ticket panel access could lead to resource exhaustion on the Discord server or the bot's backend, potentially degrading service availability or performance. There is no indication of privilege escalation or data compromise. The CVSS score of 5.3 reflects a medium severity impact primarily due to resource consumption.
Mitigation Recommendations
Upgrade Quest Bot to version 1.1.8 or later, where this vulnerability is patched. The fix includes checks to prevent users from opening multiple tickets simultaneously and applies cooldowns to limit ticket creation frequency. No additional mitigation is required if the bot is updated.
CVE-2026-49347: CWE-770: Allocation of Resources Without Limits or Throttling in duck-organization questbot
Description
Quest Bot, an open-source Discord bot by duck-organization, prior to version 1.1.8, allowed any user with access to the ticket panel to repeatedly create new ticket channels without limits or throttling. This could lead to resource exhaustion due to uncontrolled creation of ticket channels and database entries. The issue was patched in version 1.1.8, which introduced checks to prevent users from opening multiple tickets simultaneously and applied cooldowns.
CVSS v4.0
Score 5.3medium
Affected software
pkg:github/duck-organization/questbotRun on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-49347 describes a resource allocation vulnerability (CWE-770) in the Quest Bot Discord bot. Before version 1.1.8, the bot did not limit or throttle the creation of new ticket channels by users, allowing repeated creation of ticket channels and database tickets without restriction. This could lead to resource exhaustion or denial of service. The vulnerability was fixed in version 1.1.8 by adding checks to prevent users from having multiple open tickets and implementing cooldowns between ticket creations.
Potential Impact
Unrestricted creation of ticket channels and database entries by any user with ticket panel access could lead to resource exhaustion on the Discord server or the bot's backend, potentially degrading service availability or performance. There is no indication of privilege escalation or data compromise. The CVSS score of 5.3 reflects a medium severity impact primarily due to resource consumption.
Mitigation Recommendations
Upgrade Quest Bot to version 1.1.8 or later, where this vulnerability is patched. The fix includes checks to prevent users from opening multiple tickets simultaneously and applies cooldowns to limit ticket creation frequency. No additional mitigation is required if the bot is updated.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-29T14:35:45.903Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a2bfa79e617e2d83469ab22
Added to database: 6/12/2026, 12:24:25 PM
Last enriched: 6/12/2026, 12:39:32 PM
Last updated: 6/12/2026, 2:09:28 PM
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.