HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-47169Published Modified CNA GitHub_M

CVE-2026-47169: Quest Bot: Manage Server users can configure AutoRole to grant Administrator to controlled joining accounts

Quest Bot is an opensource modern Discord Bot built for moderation, utilities and support. Prior to version 1.0.3, a user with Manage Server / ManageGuild, but without Manage Roles or Administrator, can configure the bot’s AutoRole feature to assign an arbitrary role to new members. If the selected role has Administrator and is below the bot’s highest role, the attacker can join with a controlled account and receive full server admin. This issue has been patched in version 1.0.3.

Metrics

CVSS v4.0
7.5
Severity
HIGH
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

This is a privilege-escalation vulnerability in Quest Bot, an open-source Discord moderation and utility bot. A user holding the Manage Server permission (but lacking Administrator or Manage Roles) can abuse the AutoRole feature to assign an arbitrary role, including one with Administrator privileges, to any newly joined account they control. Successful exploitation gives the attacker full server administrator access. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment an upstream fix version is published.

HarborGuard Coverage

Detection

Detection capability is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images, including custom-built images that bundle Quest Bot or its dependencies.

Available
Triage

HarborGuard scores this finding at CVSS 7.5 (HIGH) and weights it against each environment's compliance policy, then routes the alert to the appropriate team inbox within the customer organization.

Available
Patch

Because no fix version has been published upstream, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment the upstream maintainer ships a remediated release. Customers with auto-remediation enabled will receive the rebuild, a regression-test run, and a pull request opened against affected workloads without manual intervention.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker configures AutoRole over the network through Discord's API and then triggers exploitation by having a controlled account join the server remotely.

  • AuthenticationRequired

    An admin-level account is needed to reach the AutoRole configuration endpoint; however, in this context the attacker only needs a Discord account with the Manage Server permission, which is a scoped privilege below full Administrator.

  • Victim interactionNot required

    No interaction from another user or victim is required; the attacker configures the malicious AutoRole assignment and joins with a controlled account independently.

  • Attack complexityDetail

    The CVSS vector notes an attack-requirements condition (AT:P), meaning specific environmental prerequisites must be met, namely that the target role with Administrator must exist below the bot's highest role position, but no race conditions or unpredictable system states are involved once that condition is satisfied.

Blast Radius

  • The attacker gains full Administrator access on the Discord server, allowing them to read all channels and message history, including private or restricted content.
  • With Administrator privileges the attacker can modify server settings, channels, roles, and permissions, overwriting any existing configuration.
  • The attacker can kick or ban legitimate members, disrupt moderation workflows, and effectively take over server operations entirely.

How HarborGuard Handles This

Available on HarborGuard: images containing Quest Bot are matched against this CVE within minutes of advisory ingestion, and the finding is surfaced with a CVSS 7.5 HIGH severity rating weighted by each customer's compliance policy. Because no upstream fix version exists at this time, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment duck-organization publishes a remediated release. For customers with auto-remediation enabled, that rebuild will trigger a regression-test run and a pull request against affected workloads without any manual steps. In the interim, compensating controls to consider include restricting the Manage Server permission to fully trusted accounts only, auditing existing AutoRole configurations to ensure no Administrator-bearing role is assigned, and applying network-policy isolation to limit which identities can reach the bot's configuration interface.

See how HarborGuard automates this
Affected packages
  • duck-organization / quest-bot
    < 1.0.3
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
References