Quest Bot: Manage Server users can configure AutoRole to grant...

7.5 / 10

HIGH

CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Description

Quest Bot is an opensource modern Discord Bot built for moderation, utilities and support. Prior to version 1.0.3, a user with Manage Server / ManageGuild, but without Manage Roles or Administrator, can configure the bot’s AutoRole feature to assign an arbitrary role to new members. If the selected role has Administrator and is below the bot’s highest role, the attacker can join with a controlled account and receive full server admin. This issue has been patched in version 1.0.3.

Basic Information

ID CVE-2026-47169

Source GitHub_M

Published Jun 11, 2026 at 18:25

Affected Product

Vendor duck-organization

Product quest-bot

Version < 1.0.3

Affected Versions duck-organization quest-bot < 1.0.3

CWE Classification

CWE-266

References

{
    "lastseen": "",
    "description": "Quest Bot is an opensource modern Discord Bot built for moderation, utilities and support. Prior to version 1.0.3, a user with Manage Server / ManageGuild, but without Manage Roles or Administrator, can configure the bot\u2019s AutoRole feature to assign an arbitrary role to new members. If the selected role has Administrator and is below the bot\u2019s highest role, the attacker can join with a controlled account and receive full server admin. This issue has been patched in version 1.0.3.",
    "published": "2026-06-11T18:25:33.159Z",
    "modified": "2026-06-11T18:25:33.159Z",
    "type": "cve",
    "title": "Quest Bot: Manage Server users can configure AutoRole to grant Administrator to controlled joining accounts",
    "source": "GitHub_M",
    "references": "https://github.com/duck-organization/questbot/security/advisories/GHSA-8vgg-4hpx-7qfg\nhttps://github.com/duck-organization/questbot/releases/tag/questbot-v1.0.3",
    "id": "CVE-2026-47169",
    "bulletinFamily": "",
    "cwe": [
        "CWE-266"
    ],
    "cvelist": null,
    "sourceData": "duck-organization quest-bot < 1.0.3",
    "sourceHref": "",
    "cvss": {
        "score": 7.5,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "quest-bot",
    "version": "< 1.0.3",
    "vendor": "duck-organization",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Quest Bot: Manage Server users can configure AutoRole to grant Administrator to controlled joining accounts_CVE-2026-47169