Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Requires pre-existing ManageGuild (PR:H) and a specific bot-vs-target role hierarchy (AC:H); compromise of the Discord guild beyond the bot's own scope yields S:C with full C/I/A impact.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Quest Bot is an opensource modern Discord Bot built for moderation, utilities and support. Prior to version 1.0.3, a user with Manage Server / ManageGuild, but without Manage Roles or Administrator, can configure the bot’s AutoRole feature to assign an arbitrary role to new members. If the selected role has Administrator and is below the bot’s highest role, the attacker can join with a controlled account and receive full server admin. This issue has been patched in version 1.0.3.
AnalysisAI
Privilege escalation in Quest Bot (open-source Discord moderation bot) prior to version 1.0.3 allows a user holding only the Manage Server (ManageGuild) permission to abuse the AutoRole configuration to auto-assign an Administrator-level role to newly joining members. No public exploit identified at time of analysis, but the attack path is fully documented in the GitHub Security Advisory GHSA-8vgg-4hpx-7qfg, making the technique trivially reproducible by anyone with the required guild permission.
Technical ContextAI
Quest Bot is a Discord automation bot (cpe:2.3:a:duck-organization:quest-bot) whose AutoRole feature automatically grants a configured role to members joining a guild. The root cause maps to CWE-266 (Incorrect Privilege Assignment): the configuration command checks that the invoking user holds ManageGuild, but does not additionally require Manage Roles or Administrator, nor does it validate that the target role's privilege level is not greater than the configurer's own. Combined with Discord's role hierarchy model - where any bot can assign roles ranked below its own highest role - this lets a low-privileged guild manager weaponize the bot's role position to elevate arbitrary new members to full Administrator.
RemediationAI
Vendor-released patch: Quest Bot 1.0.3 - upgrade the self-hosted bot instance (or confirm the hosted instance has been updated) using the release at https://github.com/duck-organization/questbot/releases/tag/questbot-v1.0.3, as documented in GHSA-8vgg-4hpx-7qfg. Until patched, the most effective compensating control is to demote the bot's highest role below any Administrator-level role in the Discord role hierarchy, which structurally prevents the bot from ever assigning Administrator (side effect: the bot can no longer manage Administrator-tier roles for any legitimate use case). Additional hardening: restrict ManageGuild to fully trusted staff only, and audit the current AutoRole configuration for unexpected privileged roles before and after upgrading.
Mass mention abuse in Quest Bot (open-source Discord moderation/utility bot) before version 1.0.3 allows any normal Disc
Cross-tenant AutoMod rule deletion in Quest Bot (Discord bot) prior to 1.0.5 lets a user with Manage Server permission i
Privilege escalation in Quest Bot Discord bot versions prior to 1.0.1 allows any guild member with slash-command access
Unsanitized output in Quest Bot's ticket creation workflow allows any unprivileged Discord server member to inject @ever
Ticket transcript redirection in Quest Bot (prior to v1.0.4) allows a privileged user with bot settings access to config
Quest Bot, an open-source Discord moderation/utility bot, exposes private channel message contents to privileged users w
Quest Bot (Discord moderation bot) prior to v1.0.4 allows low-privileged moderators to leverage the bot's elevated Disco
Unsanitized reason text in Quest Bot's /unban and /unwarn Discord commands enables authenticated moderators to trigger m
Same weakness CWE-266 – Incorrect Privilege Assignment
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36297