CVE-2026-47169

Quest Bot is an opensource modern Discord Bot built for moderation, utilities and support. Prior to version 1.0.3, a user with Manage Server / ManageGuild, but without Manage Roles or Administrator, can configure the bot’s AutoRole feature to assign an arbitrary role to new members. If the selected role has Administrator and is below the bot’s highest role, the attacker can join with a controlled account and receive full server admin. This issue has been patched in version 1.0.3.

CVSS

No CVSS.

References

Link	Resource
https://github.com/duck-organization/questbot/releases/tag/questbot-v1.0.3
https://github.com/duck-organization/questbot/security/advisories/GHSA-8vgg-4hpx-7qfg
https://github.com/duck-organization/questbot/security/advisories/GHSA-8vgg-4hpx-7qfg

Configurations

No configuration.

History

11 Jun 2026, 20:16

Type	Values Removed	Values Added
References	~~() https://github.com/duck-organization/questbot/security/advisories/GHSA-8vgg-4hpx-7qfg -~~	() https://github.com/duck-organization/questbot/security/advisories/GHSA-8vgg-4hpx-7qfg -

11 Jun 2026, 19:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-06-11 19:16

Updated : 2026-06-11 20:58

NVD link : CVE-2026-47169

Mitre link : CVE-2026-47169

CVE.ORG link : CVE-2026-47169

JSON object : View

Products Affected

No product.

CWE

CWE-266

Incorrect Privilege Assignment

{"id": "CVE-2026-47169", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 7.5, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "HIGH", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-06-11T19:16:44.733", "references": [{"url": "https://github.com/duck-organization/questbot/releases/tag/questbot-v1.0.3", "source": "security-advisories@github.com"}, {"url": "https://github.com/duck-organization/questbot/security/advisories/GHSA-8vgg-4hpx-7qfg", "source": "security-advisories@github.com"}, {"url": "https://github.com/duck-organization/questbot/security/advisories/GHSA-8vgg-4hpx-7qfg", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Deferred", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-266"}]}], "descriptions": [{"lang": "en", "value": "Quest Bot is an opensource modern Discord Bot built for moderation, utilities and support. Prior to version 1.0.3, a user with Manage Server / ManageGuild, but without Manage Roles or Administrator, can configure the bot\u2019s AutoRole feature to assign an arbitrary role to new members. If the selected role has Administrator and is below the bot\u2019s highest role, the attacker can join with a controlled account and receive full server admin. This issue has been patched in version 1.0.3."}], "lastModified": "2026-06-11T20:58:18.123", "sourceIdentifier": "security-advisories@github.com"}