Quest Bot allows a Discord user with Manage Server permissions, but lacking Manage Roles or Administrator rights, to configure the bot's AutoRole feature. By assigning an arbitrary role that includes Administrator and is positioned below the bot's highest role, the user can create a controlled account that joins the server and immediately gains full administrative privileges. This grants the attacker complete control over the server, including the ability to ban members, delete channels, and modify server settings. The flaw represents a classic user‑controlled privilege escalation as identified by CWE‑266.

The vulnerability affects deployments of duck‑organization's Quest Bot version 1.0.2 and earlier. Any server running an affected version where the bot has permission to modify AutoRole settings is susceptible. Administrators who deploy the bot must ensure they apply the fix before the bot becomes active. No specific operating system or platform exclusions are listed.

The CVSS score of 7.5 indicates high severity. Based on the description, it is inferred that a user with Manage Server permissions, but not Manage Roles or Administrator, can exploit the vulnerability by configuring the bot’s AutoRole feature to assign an Administrator role that is below the bot’s highest role. EPSS is not available, and the issue is not listed in the CISA KEV catalog. The vulnerability is local to the Discord server environment and does not compromise external infrastructure.