PatchSiren cyber security CVE debrief
CVE-2026-47197 duck-organization CVE debrief
CVE-2026-47197 is a HIGH severity vulnerability in Quest Bot, a Discord bot. Prior to version 1.1.6, a moderator with the relevant Discord permission bit can use the bot to moderate users above them in the Discord role hierarchy, as long as the bot itself outranks the target. This bypasses Discord's normal role hierarchy protections and lets lower-ranked moderators ban, kick, timeout, untimeout, warn, or rename higher-ranked users. The issue has been patched in version 1.1.6.
- Vendor
- duck-organization
- Product
- questbot
- CVSS
- HIGH 7.2
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-12
- Original CVE updated
- 2026-06-13
- Advisory published
- 2026-06-12
- Advisory updated
- 2026-06-13
Who should care
Users of Quest Bot, particularly those with moderation permissions, should be aware of this vulnerability and ensure they are running version 1.1.6 or later to prevent potential exploitation.
Technical summary
The vulnerability exists in Quest Bot versions prior to 1.1.6. A moderator with the relevant Discord permission bit can use the bot to moderate users above them in the Discord role hierarchy, as long as the bot itself outranks the target. This is due to the bot's failure to properly enforce Discord's role hierarchy protections.
Defensive priority
HIGH
Recommended defensive actions
- Update Quest Bot to version 1.1.6 or later to patch the vulnerability.
- Review and adjust moderation permissions to prevent potential exploitation.
Evidence notes
CVE-2026-47197 has a CVSS score of 7.2 and is considered HIGH severity. The vulnerability was published on 2026-06-12T13:16:33.677Z and modified on 2026-06-13T04:17:31.400Z.
Official resources
CVE-2026-47197 was published on 2026-06-12T13:16:33.677Z and modified on 2026-06-13T04:17:31.400Z.