Which versions of Quest Bot are affected by CVE-2026-47172?

Quest Bot versions prior to 1.0.3 contain a critical vulnerability allowing remote attackers to inject malicious code directly into production deployment pipelines and compromise the latest Docker…. A patch is available.

How to fix or mitigate CVE-2026-47172?

Within 24 hours: Identify all Quest Bot deployments in use; implement mandatory code review approval for pull requests and apply least-privilege access controls to GitHub Actions workflows. Within 7 days: Monitor GHSA-9qf3-c86c-j346 for Quest Bot version 1.0.3 release; audit all deployments from the past 30 days for suspicious activity; implement separate approval authorization between build and deploy workflows. Within 30 days: Upgrade all instances to Quest Bot version 1.0.3 upon availability; validate container image integrity across all deployments; review and strengthen CI/CD security policies.

Quest Bot CVE-2026-47172

Q: What is the CVSS score of CVE-2026-47172?

CVE-2026-47172 has a CVSS 4.0 base score of 9.5 (Critical). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

EUVD-2026-36300 CRITICAL

Inclusion of Functionality from Untrusted Control Sphere (CWE-829)

2026-06-11 GitHub_M

Information Disclosure Docker

9.5

CVSS 4.0 · Vendor: GitHub_M

Severity by source

Vendor (GitHub_M) PRIMARY

9.5 CRITICAL

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

vuln.today AI

9.0 CRITICAL

Network-reachable via PR submission with no auth or UI, but AC:H reflects the required workflow_run+head_sha+branch-name-gate pattern; scope changes to the production bot and Discord guilds, all impacts High.

3.1 AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

4.0 AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

Patch available

Jun 11, 2026 - 20:01 EUVD

Analysis Generated

Jun 11, 2026 - 19:19 vuln.today

CVE Published

Jun 11, 2026 - 18:28 cve.org

CRITICAL 9.5

DescriptionCVE.org

Quest Bot is an opensource modern Discord Bot built for moderation, utilities and support. Prior to version 1.0.3, the repository has a privileged deploy workflow that runs after the unprivileged build workflow completes. The build workflow runs on pull requests, and the deploy workflow checks out the triggering workflow’s head_sha, builds that code into a Docker image, pushes it as latest, and triggers production deployment. If an attacker can open a pull request from a branch named main, the deploy workflow condition can treat the PR build as deployable and build the attacker-controlled commit in a privileged deployment context. This can result in malicious container deployment and production bot compromise. This issue has been patched in version 1.0.3.

Articles & Coverage 1

News Critical Workflow Injection in Docker via Quest Bot - CVE-2026-47172 Jun 11, 2026

AnalysisAI

Privileged GitHub Actions workflow injection in Quest Bot (Discord moderation bot) prior to version 1.0.3 allows remote attackers to deploy malicious container images to production by opening a pull request from a branch named 'main'. The unprivileged build workflow's head_sha is consumed by a downstream privileged deploy workflow, which then builds and publishes attacker-controlled code as the 'latest' Docker image and triggers production rollout. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon

Fork target repo

Delivery

Create branch named 'main' with malicious Dockerfile

Exploit

Open PR from 'main' to upstream

Install

Build workflow runs on PR

Deploy workflow checks out attacker head_sha

Execute

Push malicious image as latest

Impact

Production bot compromise across Discord guilds

Recon

Fork target repo

Delivery

Create branch named 'main' with malicious Dockerfile

Exploit

Open PR from 'main' to upstream

Install

Build workflow runs on PR

Deploy workflow checks out attacker head_sha

Execute

Push malicious image as latest

Impact

Production bot compromise across Discord guilds

Vulnerability AssessmentAI

Exploitation	Requires the target repository to use the pre-1.0.3 workflow layout where an unprivileged build workflow runs on pull_request and a privileged deploy workflow triggers on its workflow_run completion, checks out github.event.workflow_run.head_sha, and gates on the head branch name being 'main'. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	CVSS 4.0 base of 9.5 (AV:N/AC:L/AT:P/PR:N/UI:N with VC/VI/VA/SC/SI/SA all High) is plausible because successful exploitation yields full compromise of the production bot container and downstream Discord servers it operates in - a subsequent-system impact justifying the SC/SI/SA:H. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker forks duck-organization/questbot, creates a branch literally named 'main' in their fork, commits a backdoored bot image build (e.g., a token exfiltrator or reverse shell in the Dockerfile), and opens a pull request from that 'main' branch into the upstream repository. The upstream build workflow runs on the PR and completes; the deploy workflow then fires on workflow_run, checks out the PR's head_sha, builds the attacker's Dockerfile, pushes it as the 'latest' tag to the registry, and triggers production rollout - at which point the malicious container runs with the production bot token and compromises every Discord guild it is installed in. …
Remediation	Upgrade to Quest Bot 1.0.3 (Vendor-released patch: questbot-v1.0.3) by pulling the fixed workflow definitions from https://github.com/duck-organization/questbot/releases/tag/questbot-v1.0.3 and re-deploying; forks must merge the workflow changes, not just rebase application code. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all Quest Bot deployments in use; implement mandatory code review approval for pull requests and apply least-privilege access controls to GitHub Actions workflows. …

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-48039 CRITICAL Act Now POC

9.1 Jun 11

Unauthenticated remote attackers can invoke MCP tool handlers and exfiltrate the operator's long-lived Meta Graph API ac

CVE-2026-53753 CRITICAL Act Now

9.8 Jun 16

Unauthenticated remote code execution in Crawl4AI versions <= 0.8.6 allows attackers to escape the AST-based sandbox in

CVE-2026-47174 CRITICAL Act Now

9.5 Jun 11

Production deployment compromise in Duck Site before 1.0.1 allows remote attackers to push attacker-controlled code as t

CVE-2026-53755 HIGH This Week

8.6 Jun 16

Server-side request forgery in Crawl4AI's Docker API server (versions <= 0.8.8) allows unauthenticated remote attackers

CVE-2026-11816 HIGH This Week

8.1 Jun 11

Path traversal in Keras archive extraction utilities prior to version 3.14.0 allows remote attackers to write files outs

CVE-2026-47172 vulnerability details – vuln.today

Back