How is CVE-2026-47172 exploited?

Network reachability (required): The attacker triggers exploitation over the network by opening a pull request against the public repository, requiring no special network position beyond standard internet access. Authentication (not-required): No authentication or account privileges are required beyond the ability to open a pull request, which is available to any unauthenticated GitHub user who creates a free account. Victim interaction (not-required): No victim interaction is needed; the privileged deploy workflow fires automatically after the unprivileged build workflow completes, with no human approval step between them. Attack complexity (info): Base exploit complexity is low and the attack is reliable, though the CVSS vector records an attack requirement (AT:P) noting that the branch-naming condition (a branch named `main`) must be satisfied for the deploy workflow to treat the PR as deployable.

What is the impact of CVE-2026-47172?

The attacker's container image is pushed as the production `latest` tag, replacing the legitimate running bot image in the deployment pipeline. The attacker gains arbitrary code execution inside the privileged deployment context, with access to any secrets, tokens, or credentials injected into the deploy workflow environment. The production Discord bot is fully compromised, enabling the attacker to read, modify, or delete moderation data, support tickets, and server configurations managed by the bot. Downstream systems and services that the bot authenticates to (Discord API tokens, database credentials, third-party integrations) are exposed to exfiltration or abuse.

Back to search

CRITICALCVE-2026-47172Published 2026-06-11Modified 2026-06-11CNA GitHub_M

CVE-2026-47172: Quest Bot: Untrusted pull request code can be built and deployed by privileged `workflow_run` deployment.

Quest Bot is an opensource modern Discord Bot built for moderation, utilities and support. Prior to version 1.0.3, the repository has a privileged deploy workflow that runs after the unprivileged build workflow completes. The build workflow runs on pull requests, and the deploy workflow checks out the triggering workflow’s head_sha, builds that code into a Docker image, pushes it as latest, and triggers production deployment. If an attacker can open a pull request from a branch named main, the deploy workflow condition can treat the PR build as deployable and build the attacker-controlled commit in a privileged deployment context. This can result in malicious container deployment and production bot compromise. This issue has been patched in version 1.0.3.

CVSS v4.0: 9.5
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

This is a CI/CD pipeline privilege escalation vulnerability in Quest Bot, an open-source Discord bot. A remote, unauthenticated attacker who can open a pull request against the repository can trigger a privileged `workflow_run` deployment workflow that checks out and builds attacker-controlled code, then pushes the resulting Docker image as the production `latest` tag. Successful exploitation gives the attacker full control over the deployed container and the production Discord bot environment. Note: the description states the issue has been patched in version 1.0.3, but no fix version has been formally published to the advisory record yet; HarborGuard tracks this advisory for patch availability.

HarborGuard Coverage

Detection

Detection of CVE-2026-47172 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images derived from `duck-organization/quest-bot`, including custom-built forks and downstream images. Any image built from an affected commit (pre-1.0.3) in a customer registry or CI pipeline is flagged automatically.

Available

Triage

HarborGuard scores this CVE at CVSS v4.0 9.5 (Critical) and surfaces it with that severity weighting in each environment's finding queue. Per-environment compliance policy rules further prioritize or route the finding to the appropriate team inbox, so the right engineers see it without manual triage overhead.

Available

Patch

Because no fix version has been formally published to the advisory record, HarborGuard re-checks the upstream advisory on every ingest cycle and will make a patched-image rebuild available the moment a confirmed fix version is recorded. In the interim, compensating-control suggestions (see Recommendation) are surfaced in the finding detail for affected environments.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker triggers exploitation over the network by opening a pull request against the public repository, requiring no special network position beyond standard internet access.
AuthenticationNot required
No authentication or account privileges are required beyond the ability to open a pull request, which is available to any unauthenticated GitHub user who creates a free account.
Victim interactionNot required
No victim interaction is needed; the privileged deploy workflow fires automatically after the unprivileged build workflow completes, with no human approval step between them.
Attack complexityDetail
Base exploit complexity is low and the attack is reliable, though the CVSS vector records an attack requirement (AT:P) noting that the branch-naming condition (a branch named `main`) must be satisfied for the deploy workflow to treat the PR as deployable.

Blast Radius

The attacker's container image is pushed as the production `latest` tag, replacing the legitimate running bot image in the deployment pipeline.
The attacker gains arbitrary code execution inside the privileged deployment context, with access to any secrets, tokens, or credentials injected into the deploy workflow environment.
The production Discord bot is fully compromised, enabling the attacker to read, modify, or delete moderation data, support tickets, and server configurations managed by the bot.
Downstream systems and services that the bot authenticates to (Discord API tokens, database credentials, third-party integrations) are exposed to exfiltration or abuse.

How HarborGuard Handles This

Available on HarborGuard: because no fix version has been formally recorded in the advisory, HarborGuard continuously re-checks the upstream advisory on each ingest cycle and will automatically make a patched-image rebuild available the moment version 1.0.3 (or a superseding release) is confirmed in the vulnerability feed. For customers with auto-remediation enabled, the rebuild, regression-test run, and PR against affected workloads will trigger without manual intervention as soon as the fix is recorded. In the interim, HarborGuard surfaces the following compensating controls in the finding detail: restrict who can open pull requests against the repository using branch protection rules and required reviewers; add an explicit approval gate between the build workflow and the deploy workflow so no privileged job runs on unreviewed code; scope deploy workflow secrets to protected branches only using GitHub Actions environment protection rules; and apply network-policy isolation to the deployment environment to limit blast radius if an unauthorized image does reach production. Customers running self-hosted runners for this workflow should treat runner isolation as a priority control given the privileged context involved.

See how HarborGuard automates this

Affected packages

duck-organization / quest-bot
< 1.0.3

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

References

Metrics

Get notified