Skip to main content

Quest Bot CVE-2026-47169

| EUVDEUVD-2026-36297 HIGH
Incorrect Privilege Assignment (CWE-266)
2026-06-11 GitHub_M
7.5
CVSS 4.0 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
7.5 HIGH
CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.0 HIGH

Requires pre-existing ManageGuild (PR:H) and a specific bot-vs-target role hierarchy (AC:H); compromise of the Discord guild beyond the bot's own scope yields S:C with full C/I/A impact.

3.1 AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

2
Patch available
Jun 11, 2026 - 20:01 EUVD
Analysis Generated
Jun 11, 2026 - 19:17 vuln.today

DescriptionCVE.org

Quest Bot is an opensource modern Discord Bot built for moderation, utilities and support. Prior to version 1.0.3, a user with Manage Server / ManageGuild, but without Manage Roles or Administrator, can configure the bot’s AutoRole feature to assign an arbitrary role to new members. If the selected role has Administrator and is below the bot’s highest role, the attacker can join with a controlled account and receive full server admin. This issue has been patched in version 1.0.3.

AnalysisAI

Privilege escalation in Quest Bot (open-source Discord moderation bot) prior to version 1.0.3 allows a user holding only the Manage Server (ManageGuild) permission to abuse the AutoRole configuration to auto-assign an Administrator-level role to newly joining members. No public exploit identified at time of analysis, but the attack path is fully documented in the GitHub Security Advisory GHSA-8vgg-4hpx-7qfg, making the technique trivially reproducible by anyone with the required guild permission.

Technical ContextAI

Quest Bot is a Discord automation bot (cpe:2.3:a:duck-organization:quest-bot) whose AutoRole feature automatically grants a configured role to members joining a guild. The root cause maps to CWE-266 (Incorrect Privilege Assignment): the configuration command checks that the invoking user holds ManageGuild, but does not additionally require Manage Roles or Administrator, nor does it validate that the target role's privilege level is not greater than the configurer's own. Combined with Discord's role hierarchy model - where any bot can assign roles ranked below its own highest role - this lets a low-privileged guild manager weaponize the bot's role position to elevate arbitrary new members to full Administrator.

RemediationAI

Vendor-released patch: Quest Bot 1.0.3 - upgrade the self-hosted bot instance (or confirm the hosted instance has been updated) using the release at https://github.com/duck-organization/questbot/releases/tag/questbot-v1.0.3, as documented in GHSA-8vgg-4hpx-7qfg. Until patched, the most effective compensating control is to demote the bot's highest role below any Administrator-level role in the Discord role hierarchy, which structurally prevents the bot from ever assigning Administrator (side effect: the bot can no longer manage Administrator-tier roles for any legitimate use case). Additional hardening: restrict ManageGuild to fully trusted staff only, and audit the current AutoRole configuration for unexpected privileged roles before and after upgrading.

Share

CVE-2026-47169 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy