Skip to main content

Quest Bot CVE-2026-47197

| EUVDEUVD-2026-36414 HIGH
Missing Authorization (CWE-862)
2026-06-12 GitHub_M
7.2
CVSS 4.0 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
7.2 HIGH
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.5 HIGH

Exploited over Discord (AV:N) by any moderator with a permission bit (PR:L), no user interaction, scope changes to the Discord guild (S:C); primary impact is integrity of higher-ranked accounts (I:H) with some availability loss via bans/timeouts (A:L) and no data disclosure.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:L
4.0 AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:H/SA:H

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

2
Patch available
Jun 12, 2026 - 14:01 EUVD
Analysis Generated
Jun 12, 2026 - 12:51 vuln.today

DescriptionCVE.org

Quest Bot is an opensource Discord Bot. Prior to version 1.1.6, a moderator with the relevant Discord permission bit can use the bot to moderate users above them in the Discord role hierarchy, as long as the bot itself outranks the target. This bypasses Discord’s normal role hierarchy protections and lets lower-ranked moderators ban, kick, timeout, untimeout, warn, or rename higher-ranked users. This issue has been patched in version 1.1.6.

AnalysisAI

Discord role hierarchy bypass in Quest Bot (open-source Discord moderation bot) prior to version 1.1.6 allows moderators to perform privileged actions against users ranked above them in the server role hierarchy. Any moderator holding the relevant Discord permission bit can ban, kick, timeout, untimeout, warn, or rename higher-ranked members so long as the bot itself outranks the target. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Technical ContextAI

Quest Bot is an open-source Discord bot (CPE cpe:2.3:a:duck-organization:questbot) that executes moderation commands on behalf of users via the Discord API. Discord normally enforces a role hierarchy in which a member cannot moderate another member whose highest role is equal to or above their own. The root cause is CWE-862 (Missing Authorization): Quest Bot only verified that the invoking user held the Discord permission bit for the action and that the bot's role outranked the target, but never compared the invoker's top role against the target's top role. Because the bot acts with its own (higher) role, this effectively launders the moderator's request through a more privileged identity, defeating Discord's client- and API-side hierarchy checks.

RemediationAI

Vendor-released patch: questbot-v1.1.6 - operators of Quest Bot should upgrade to 1.1.6 or later per the release at https://github.com/duck-organization/questbot/releases/tag/questbot-v1.1.6 and the advisory at https://github.com/duck-organization/questbot/security/advisories/GHSA-qw95-583r-hrwp. Until the upgrade is deployed, the most effective compensating controls are to lower Quest Bot's role beneath the roles you want to protect (so it cannot act on admins/owners at all - trade-off: it can no longer moderate equally high-ranked offenders), revoke Discord moderation permission bits (Ban Members, Kick Members, Moderate Members, Manage Nicknames) from lower-trust moderator roles, or temporarily remove/disable the bot in sensitive servers. Audit recent moderation actions (ban/kick/timeout/warn/rename) issued through Quest Bot against high-ranked accounts to detect prior abuse before patching.

Share

CVE-2026-47197 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy