CVE-2026-47197 HIGH

CVE-2026-47197: Quest Bot: Discord moderation role hierarchy bypass in ban, kick, mute, unmute, warn, and nickname commands

Vendor Duck-Organization
Product questbot
Weakness CWE-862 · Missing authorization
Published June 12, 2026
Last update June 13, 2026
View on NVD All CVEs

CVSS base score

7.2/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:H/SA:H

What the vulnerability does

01Description

Quest Bot is an opensource Discord Bot. Prior to version 1.1.6, a moderator with the relevant Discord permission bit can use the bot to moderate users above them in the Discord role hierarchy, as long as the bot itself outranks the target. This bypasses Discord’s normal role hierarchy protections and lets lower-ranked moderators ban, kick, timeout, untimeout, warn, or rename higher-ranked users. This issue has been patched in version 1.1.6.

Key dates

02Disclosure timeline

June 12, 2026 CVE published
June 13, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2025-30855 WordPress Ads by WPQuads plugin <= 2.0.87.1 - Broken Access Control Vulnerability CVE-2023-25993 WordPress Top 10 – Popular posts plugin for WordPress plugin <= 3.2.3 - Broken Access Control vulnerability CVE-2025-68013 WordPress Payment Gateway Authorize.Net CIM for WooCommerce plugin <= 2.1.2 - Arbitrary Content Deletion vulnerability CVE-2025-30887 WordPress WpEvently Plugin <= 4.2.9 - Broken Access Control vulnerability CVE-2025-31878 WordPress UPC/EAN/GTIN Code Generator plugin <= 2.0.2 - Settings Change vulnerability