CVE-2026-47197: CWE-862: Missing Authorization in duck-organization questbot
Quest Bot, an open-source Discord moderation bot, contained a missing authorization vulnerability prior to version 1.1.6. This flaw allowed moderators with certain Discord permissions to moderate users ranked higher than themselves in the Discord role hierarchy, bypassing Discord's intended protections. Actions such as banning, kicking, timing out, warning, or renaming higher-ranked users could be performed if the bot outranked the target user. The issue has been fixed in version 1.1.6.
AI Analysis
Technical Summary
CVE-2026-47197 is a missing authorization vulnerability (CWE-862) in the duck-organization's Quest Bot for Discord. Before version 1.1.6, the bot permitted moderators with relevant Discord permission bits to perform moderation actions on users above them in the Discord role hierarchy, provided the bot itself outranked the target user. This bypasses Discord's normal role hierarchy enforcement, enabling lower-ranked moderators to ban, kick, timeout, untimeout, warn, or rename higher-ranked users. The vulnerability was patched in Quest Bot version 1.1.6.
Potential Impact
The vulnerability allows unauthorized privilege escalation within Discord moderation by enabling lower-ranked moderators to affect higher-ranked users, violating Discord's role hierarchy protections. This could lead to inappropriate or malicious moderation actions such as bans or kicks against privileged users. There are no known exploits in the wild as of the published date.
Mitigation Recommendations
Upgrade Quest Bot to version 1.1.6 or later, where this missing authorization vulnerability has been patched. No other mitigation steps are indicated.
CVE-2026-47197: CWE-862: Missing Authorization in duck-organization questbot
Description
Quest Bot, an open-source Discord moderation bot, contained a missing authorization vulnerability prior to version 1.1.6. This flaw allowed moderators with certain Discord permissions to moderate users ranked higher than themselves in the Discord role hierarchy, bypassing Discord's intended protections. Actions such as banning, kicking, timing out, warning, or renaming higher-ranked users could be performed if the bot outranked the target user. The issue has been fixed in version 1.1.6.
CVSS v4.0
Score 7.2high
Affected software
pkg:github/duck-organization/questbotRun on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-47197 is a missing authorization vulnerability (CWE-862) in the duck-organization's Quest Bot for Discord. Before version 1.1.6, the bot permitted moderators with relevant Discord permission bits to perform moderation actions on users above them in the Discord role hierarchy, provided the bot itself outranked the target user. This bypasses Discord's normal role hierarchy enforcement, enabling lower-ranked moderators to ban, kick, timeout, untimeout, warn, or rename higher-ranked users. The vulnerability was patched in Quest Bot version 1.1.6.
Potential Impact
The vulnerability allows unauthorized privilege escalation within Discord moderation by enabling lower-ranked moderators to affect higher-ranked users, violating Discord's role hierarchy protections. This could lead to inappropriate or malicious moderation actions such as bans or kicks against privileged users. There are no known exploits in the wild as of the published date.
Mitigation Recommendations
Upgrade Quest Bot to version 1.1.6 or later, where this missing authorization vulnerability has been patched. No other mitigation steps are indicated.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-18T22:07:37.435Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a2bfa79e617e2d83469ab1a
Added to database: 6/12/2026, 12:24:25 PM
Last enriched: 6/12/2026, 12:39:18 PM
Last updated: 6/12/2026, 2:22:45 PM
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.