CVE-2026-47197
HIGHQuest Bot: Discord moderation role hierarchy bypass in ban, kick, mute, unmute, warn, and nickname commands
Title source: cnaDescription
Quest Bot is an opensource Discord Bot. Prior to version 1.1.6, a moderator with the relevant Discord permission bit can use the bot to moderate users above them in the Discord role hierarchy, as long as the bot itself outranks the target. This bypasses Discord’s normal role hierarchy protections and lets lower-ranked moderators ban, kick, timeout, untimeout, warn, or rename higher-ranked users. This issue has been patched in version 1.1.6.
References (2)
Core 2
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/duck-organization/questbot/security/advisories/GHSA-qw95-583r-hrwp
X_Refsource_Misc x_refsource_misc
https://github.com/duck-organization/questbot/releases/tag/questbot-v1.1.6
Scores
CVSS v4
7.2
EPSS
0.0023
EPSS Percentile
13.4%
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-862
Status
published
Products (1)
duck-organization/questbot
< 1.1.6
Published
Jun 12, 2026
Tracked Since
Jun 12, 2026