How is CVE-2026-47197 exploited?

Network reachability (required): The attacker sends commands to the bot over the network via Discord's API, so the service must be reachable from the internet. Authentication (required): The attacker must hold a low-privilege Discord account that has been granted a relevant moderation permission bit in the target server; any such account is sufficient. Victim interaction (not-required): No action from the targeted user or any other party is needed to trigger the hierarchy bypass. Attack complexity (info): Exploitation is generally reliable but depends on the precondition that the bot holds a higher role than the target user (AT:P), introducing an environmental factor the attacker cannot always control.

What is the impact of CVE-2026-47197?

A lower-ranked moderator can permanently ban higher-ranked users from the Discord server, removing their access entirely. An attacker can kick, mute, or unmute targeted users, disrupting server operations and silencing or reinstating accounts without authorization. An attacker can rename any user the bot outranks, enabling impersonation or harassment of high-privilege accounts. Warn records can be written against higher-ranked users, corrupting moderation audit trails and potentially triggering automated punishment thresholds.

Back to search

HIGHCVE-2026-47197Published 2026-06-12Modified 2026-06-13CNA GitHub_M

CVE-2026-47197: Quest Bot: Discord moderation role hierarchy bypass in ban, kick, mute, unmute, warn, and nickname commands

Quest Bot is an opensource Discord Bot. Prior to version 1.1.6, a moderator with the relevant Discord permission bit can use the bot to moderate users above them in the Discord role hierarchy, as long as the bot itself outranks the target. This bypasses Discord’s normal role hierarchy protections and lets lower-ranked moderators ban, kick, timeout, untimeout, warn, or rename higher-ranked users. This issue has been patched in version 1.1.6.

CVSS v4.0: 7.2
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

A role hierarchy bypass vulnerability exists in Quest Bot, an open-source Discord moderation bot. The flaw is reachable over the network by any user holding a low-privilege Discord moderator role, with no additional interaction required from a victim. Successful exploitation lets a lower-ranked moderator ban, kick, mute, unmute, warn, or rename users who outrank them in the Discord role hierarchy, as long as the bot itself holds a higher position than the target. No fix version has been published upstream yet; HarborGuard tracks the advisory and will make a patched-image rebuild available the moment the upstream fix ships.

HarborGuard Coverage

Detection

Detection of CVE-2026-47197 is available across every HarborGuard environment; the CVE is ingested from upstream feeds within minutes of publication and matched against customer images, including custom-built images that bundle Quest Bot. Any image carrying a questbot release below 1.1.6 is flagged automatically.

Available

Triage

HarborGuard scores this finding at CVSS 7.2 (High) and weights it against each environment's compliance policy to determine urgency and routing. Triage results are delivered to the appropriate team inbox inside each customer organization without manual intervention.

Available

Patch

Because no upstream fix version has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment duck-organization/questbot ships a remediated release. For customers who opt into auto-remediation, the rebuild, regression run, and PR against affected workloads will trigger without requiring manual action.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker sends commands to the bot over the network via Discord's API, so the service must be reachable from the internet.
AuthenticationRequired
The attacker must hold a low-privilege Discord account that has been granted a relevant moderation permission bit in the target server; any such account is sufficient.
Victim interactionNot required
No action from the targeted user or any other party is needed to trigger the hierarchy bypass.
Attack complexityDetail
Exploitation is generally reliable but depends on the precondition that the bot holds a higher role than the target user (AT:P), introducing an environmental factor the attacker cannot always control.

Blast Radius

A lower-ranked moderator can permanently ban higher-ranked users from the Discord server, removing their access entirely.
An attacker can kick, mute, or unmute targeted users, disrupting server operations and silencing or reinstating accounts without authorization.
An attacker can rename any user the bot outranks, enabling impersonation or harassment of high-privilege accounts.
Warn records can be written against higher-ranked users, corrupting moderation audit trails and potentially triggering automated punishment thresholds.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix has been published for CVE-2026-47197, the platform monitors the duck-organization/questbot advisory on every ingest cycle. The moment a patched release appears upstream, a rebuilt image at that version becomes available, and for customers who opt into auto-remediation, HarborGuard opens a PR against affected workloads automatically with a regression run included. In the interim, compensating controls are worth considering: applying a Discord network policy that restricts which channels or roles can invoke moderation commands, removing the bot's ability to outrank sensitive roles until a fix is available, and auditing bot permission bits to limit scope to the minimum required. HarborGuard will surface any upstream patch publication as soon as it is detected, with no manual tracking required on the customer's side.

See how HarborGuard automates this

Affected packages

duck-organization / questbot
< 1.1.6

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:H/SA:H

References

Metrics

Get notified