PatchSiren cyber security CVE debrief
CVE-2026-47169 duck-organization CVE debrief
CVE-2026-47169 is a HIGH severity vulnerability in Quest Bot, an open-source Discord bot. A user with Manage Server permissions, but without Manage Roles or Administrator, can exploit the AutoRole feature to assign an arbitrary role to new members. If the selected role has Administrator and is below the bot's highest role, the attacker can join with a controlled account and receive full server admin. This issue has been patched in version 1.0.3.
- Vendor
- duck-organization
- Product
- quest-bot
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-11
- Original CVE updated
- 2026-06-11
- Advisory published
- 2026-06-11
- Advisory updated
- 2026-06-11
Who should care
Users of Quest Bot, specifically those with Manage Server permissions, should be aware of this vulnerability and ensure they are running version 1.0.3 or later.
Technical summary
The vulnerability exists in the AutoRole feature of Quest Bot. A user with Manage Server permissions can configure the feature to assign an arbitrary role to new members. If the selected role has Administrator and is below the bot's highest role, the attacker can exploit this to gain full server admin.
Defensive priority
HIGH
Recommended defensive actions
- Update Quest Bot to version 1.0.3 or later.
- Restrict Manage Server permissions to trusted users.
- Monitor server activity for suspicious role assignments.
Evidence notes
CVE-2026-47169 has a CVSS score of 7.5 and is considered HIGH severity. The vulnerability was published on 2026-06-11T19:16:44.733Z and modified on 2026-06-11T20:58:18.123Z.
Official resources
CVE-2026-47169 was published on 2026-06-11T19:16:44.733Z and modified on 2026-06-11T20:58:18.123Z.