CVE-2025-26604

CVE-2025-26604 is a vulnerability in Discord-Bot-Framework-Kernel, a Discord bot framework built with interactions.py that supports modular extension management and secure execution. The issue stems from the framework's support for arbitrary user-submitted code execution, enabling the execution of potentially malicious code that can cause damage or extract sensitive information, such as the bot token. It affects any Discord user hosting Discord-Bot-Framework-Kernel prior to commit f0d9e70841a0e3170b88c4f8d562018ccd8e8b14. The vulnerability is rated 8.3 (High) under CVSS 3.1 (AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:H/A:H) and is associated with CWE-200 (Exposure of Sensitive Information).

Attackers with high privileges can exploit this by loading a malicious module and executing a command to extract the bot token. With the token, they can deploy a blocking module to sabotage the bot via a DDoS-style attack, while using the stolen token to operate a fake bot that impersonates the legitimate one. If the bot holds high privileges on the Discord server, attackers gain effectively full control until the bot is kicked.

Advisories recommend upgrading to commit f0d9e70841a0e3170b88c4f8d562018ccd8e8b14 or later. For those unable to upgrade, limiting the Discord bot's access through configuration options may reduce risk. Relevant details are available in the GitHub commit and security advisory.