CVE-2026-47169— Quest Bot: Manage Server users can configure AutoRole to grant Administrator to controlled joining accounts
Possible ATT&CK Techniques 1AI
T1098.004 · SSH Authorized KeysAffected Version Matrix 1
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| duck-organization | quest-bot | < 1.0.3 | affected |
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-47169
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Quest Bot: Manage Server users can configure AutoRole to grant Administrator to controlled joining accounts
Source: NVD (National Vulnerability Database)
Vulnerability Description
Quest Bot is an opensource modern Discord Bot built for moderation, utilities and support. Prior to version 1.0.3, a user with Manage Server / ManageGuild, but without Manage Roles or Administrator, can configure the bot’s AutoRole feature to assign an arbitrary role to new members. If the selected role has Administrator and is below the bot’s highest role, the attacker can join with a controlled account and receive full server admin. This issue has been patched in version 1.0.3.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
特权授予不正确
Source: NVD (National Vulnerability Database)
Vulnerability Title
Quest Bot 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Quest Bot是Duck Organization开源的一款多功能Discord社区管理机器人。 Quest Bot 1.0.3之前版本存在安全漏洞,该漏洞源于拥有管理服务器权限但没有管理角色或管理员权限的用户可以配置机器人的AutoRole功能为新成员分配任意角色,可能导致攻击者选择具有管理员权限且低于机器人最高角色的角色,加入后获得完全服务器管理员权限。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| duck-organization | quest-bot | < 1.0.3 | - |
II. Public POCs for CVE-2026-47169
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-47169
请登录查看更多情报信息。
Vendor Advisories for CVE-2026-47169 (1)
Vendor Pages for CVE-2026-47169 (1)
- 🔗 Release questbot-v1.0.3 · duck-organization/questbot · GitHubx_refsource_MISC
Same Patch Batch · duck-organization · 2026-06-11 · 11 CVEs total
| CVE-2026-47188 | Quest Bot: Unban and unwarn reason fields still allow bot-powered mass mentions. | |
| CVE-2026-47189 | Quest Bot: AutoMod removal can delete rules from another guild by global rule ID | |
| CVE-2026-47163 | Quest Bot: Unprivileged users can create and remove AutoMod rules. | |
| CVE-2026-47175 | Quest Bot: Moderation reason fields allow bot-powered `@everyone` / `@here` pings | |
| CVE-2026-47177 | Quest Bot: Ticket transcripts can disclose private ticket contents to a lower-visibility c | |
| CVE-2026-47173 | Quest Bot: Ticket reason allows mass-mention injection | |
| CVE-2026-47174 | Duck Site: Untrusted pull request code can trigger privileged production deployment | |
| CVE-2026-47176 | Quest Bot: Logging module can disclose private-channel message contents to a lower-visibil | |
| CVE-2026-47171 | Quest Bot: Reminder messages allow stored mass mentions through `@everyone` and `@here` | |
| CVE-2026-47172 | Quest Bot: Untrusted pull request code can be built and deployed by privileged `workflow_r |
IV. Related Vulnerabilities
Same product: quest-bot
- CVE-2026-47189
Quest Bot: AutoMod removal can delete rules from another gui - CVE-2026-47188
Quest Bot: Unban and unwarn reason fields still allow bot-po - CVE-2026-47177
Quest Bot: Ticket transcripts can disclose private ticket co - CVE-2026-47176
Quest Bot: Logging module can disclose private-channel messa - CVE-2026-47175
Quest Bot: Moderation reason fields allow bot-powered `@ever
Same vendor: duck-organization
- CVE-2026-49347
Quest Bot: Ticket creation has no per-user open-ticket limit - CVE-2026-48485
Quest Bot: Stored warn reasons can still trigger bot-powered - CVE-2026-47197
Quest Bot: Discord moderation role hierarchy bypass in ban, - CVE-2026-47195
Quest Bot: Per-channel permission overwrite bypass in purge - CVE-2026-47196
Quest Bot: Empty automod rule causes every guild message to
Same weakness: CWE-266
- CVE-2026-54807
WordPress Registration Form for WooCommerce plugin <= 1.0.9 - CVE-2026-54805
WordPress Falang multilanguage plugin <= 1.4.2 - Privilege E - CVE-2026-54196
WordPress JetFormBuilder plugin <= 3.6.1 - Privilege Escalat - CVE-2026-49058
WordPress LoginPress Pro plugin <= 6.2.2 - Privilege Escalat - CVE-2026-39546
WordPress MultiLoca plugin <= 4.2.15 - Privilege Escalation
V. Comments for CVE-2026-47169
No comments yet