PatchSiren cyber security CVE debrief
CVE-2026-47172 duck-organization CVE debrief
CVE-2026-47172 is a CRITICAL vulnerability in Quest Bot, an open-source Discord bot. The vulnerability allows for remote code execution due to a privileged deploy workflow that runs after an unprivileged build workflow, potentially allowing an attacker to deploy a malicious container and compromise the production bot. This issue has been patched in version 1.0.3.
- Vendor
- duck-organization
- Product
- quest-bot
- CVSS
- CRITICAL 9.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-11
- Original CVE updated
- 2026-06-11
- Advisory published
- 2026-06-11
- Advisory updated
- 2026-06-11
Who should care
Users of Quest Bot prior to version 1.0.3, administrators of Discord servers using Quest Bot, and security teams monitoring for potential remote code execution vulnerabilities in their applications.
Technical summary
The Quest Bot repository has a privileged deploy workflow that runs after the unprivileged build workflow completes. The build workflow runs on pull requests, and the deploy workflow checks out the triggering workflow's head_sha, builds that code into a Docker image, pushes it as latest, and triggers production deployment. If an attacker can open a pull request from a branch named main, the deploy workflow condition can treat the PR build as deployable and build the attacker-controlled commit in a privileged deployment context.
Defensive priority
High
Recommended defensive actions
- Upgrade Quest Bot to version 1.0.3 or later.
- Restrict the deploy workflow to only run on trusted branches.
- Monitor for suspicious pull requests and deployment activities.
Evidence notes
CVE-2026-47172 has a CVSS score of 9.5 and is considered CRITICAL. The vulnerability was published on 2026-06-11T19:16:45.240Z and last modified on 2026-06-11T20:58:18.123Z.
Official resources
CVE-2026-47172 was published on 2026-06-11T19:16:45.240Z and last modified on 2026-06-11T20:58:18.123Z.