Description
Quest Bot is an opensource Discord Bot. Prior to version 1.1.6, a moderator with the relevant Discord permission bit can use the bot to moderate users above them in the Discord role hierarchy, as long as the bot itself outranks the target. This bypasses Discord’s normal role hierarchy protections and lets lower-ranked moderators ban, kick, timeout, untimeout, warn, or rename higher-ranked users. This issue has been patched in version 1.1.6.
Published: 2026-06-12
Score: 7.2 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Quest Bot allows a moderator with the standard moderation permission bit to act on users higher in the Discord role hierarchy as long as the bot’s role outranks the target user. This bypasses Discord’s built‑in role hierarchy controls and enables lower‑ranked moderators to ban, kick, mute, unmute, warn, or rename higher‑ranked users, compromising the integrity and availability of moderation functions.

Affected Systems

The affected product is Quest Bot by duck-organization. Versions prior to 1.1.6 are affected; the fix is included in release 1.1.6 and later.

Risk and Exploitability

The issue carries a CVSS score of 7.2, indicating a fairly high severity. EPSS data is not available, but the vulnerability can be exploited by any moderator who has the relevant Discord permission bit and can interact with the bot. Because the bot must outrank the target user, the attack requires the bot to be assigned a higher role; this is a typical scenario in many servers. The vulnerability is not listed in the CISA KEV catalog, so no publicly available exploit campaigns are documented yet.

Generated by OpenCVE AI on June 12, 2026 at 13:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Quest Bot to version 1.1.6 or later.
  • Limit the bot’s role so it does not outrank any users it can moderate, or remove the moderation permission bits from lower‑ranked moderator roles.
  • Review Discord role hierarchy and ensure that moderation permissions are only granted to trusted high‑level moderators.

Generated by OpenCVE AI on June 12, 2026 at 13:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 13 Jun 2026 03:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 12 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Duck-organization
Duck-organization questbot
Vendors & Products Duck-organization
Duck-organization questbot

Fri, 12 Jun 2026 12:30:00 +0000

Type Values Removed Values Added
Description Quest Bot is an opensource Discord Bot. Prior to version 1.1.6, a moderator with the relevant Discord permission bit can use the bot to moderate users above them in the Discord role hierarchy, as long as the bot itself outranks the target. This bypasses Discord’s normal role hierarchy protections and lets lower-ranked moderators ban, kick, timeout, untimeout, warn, or rename higher-ranked users. This issue has been patched in version 1.1.6.
Title Quest Bot: Discord moderation role hierarchy bypass in ban, kick, mute, unmute, warn, and nickname commands
Weaknesses CWE-862
References
Metrics cvssV4_0

{'score': 7.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:H/SA:H'}

Subscriptions

Duck-organization Questbot
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-13T02:52:59.518Z

Reserved: 2026-05-18T22:07:37.435Z

Link: CVE-2026-47197

cve-icon Vulnrichment

Updated: 2026-06-13T02:51:50.025Z

cve-icon NVD

Status : Deferred

Published: 2026-06-12T13:16:33.677

Modified: 2026-06-13T04:17:31.400

Link: CVE-2026-47197

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-12T20:20:36Z

Weaknesses