VYPR
← All advisories
High severityNVD Advisory· Published Jun 11, 2026· Updated Jun 11, 2026

CVE-2026-47169

CVE-2026-47169

Description

Quest Bot AutoRole privilege escalation allows users with Manage Server to assign Administrator role to joining accounts, leading to full server compromise. Fixed in v1.0.3.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Quest Bot AutoRole privilege escalation allows users with Manage Server to assign Administrator role to joining accounts, leading to full server compromise. Fixed in v1.0.3.

Vulnerability

In Quest Bot versions prior to 1.0.3, the /autorole add slash command only validates that the invoking user has the Manage Server (ManageGuild) permission, but does not verify that the user has Manage Roles or Administrator to assign the selected role. The bot stores the chosen role ID and later, when a new member joins (guildMemberAdd event), automatically assigns that role if the bot's highest role is above the target role. This allows a user with Manage Server but without role management privileges to configure the AutoRole feature to assign an arbitrary role, including one with Administrator permission, to any joining account. [1]

Exploitation

An attacker needs Manage Server permission on a Discord guild where the bot has Manage Roles and the bot's highest role is above an existing Administrator role. The attacker does not require Manage Roles or Administrator. The attacker runs /autorole add role:@Admin bot_role:false (or any role with Administrator). Then, using a second controlled Discord account, the attacker joins the server. The bot automatically assigns the Administrator role to the joining account, granting the attacker full administrative control. [1]

Impact

Successful exploitation results in the attacker gaining the Administrator role on the server, which provides full control over the guild, including the ability to manage roles, channels, and members, effectively compromising the entire server. The attacker can then perform any administrative action, such as deleting channels, banning members, or further escalating privileges. [1]

Mitigation

The vulnerability is patched in Quest Bot version 1.0.3, released on an unspecified date. Users should update to 1.0.3 or later. The fix likely adds proper authorization checks to ensure that only users with Manage Roles or Administrator can configure the AutoRole feature. No workaround is available for versions prior to 1.0.3; upgrading is the only mitigation. [1][2]

References
  1. Manage Server users can configure AutoRole to grant Administrator to controlled joining accounts
  2. Release questbot-v1.0.3 · duck-organization/questbot

AI Insight generated on Jun 11, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Missing authorization check in the `/autorole add` command allows a user with only ManageGuild to configure an AutoRole that grants Administrator, bypassing Discord's role-hierarchy and permission requirements."

Attack vector

An attacker with only `Manage Server` (`ManageGuild`) permission—but not `Manage Roles` or `Administrator`—uses the `/autorole add` command to select a role that grants `Administrator` and is below the bot's highest role [ref_id=1]. The bot stores the role ID and later assigns it to any new member who joins. The attacker joins the server with a second controlled account, which automatically receives the `Administrator` role, giving the attacker full server admin privileges [ref_id=1]. This is a privilege-escalation path that bypasses Discord's normal role-hierarchy and permission checks [CWE-269].

Affected code

The `/autorole add` slash command in Quest Bot prior to version 1.0.3 accepts a role option without verifying that the caller has permission to assign that role. The vulnerable sink is the automatic role assignment in the `guildMemberAdd` handler, which applies the stored role without checking whether the original configurator was authorized to manage it. The patch in version 1.0.3 adds a role-hierarchy check at configuration time so that `ManageGuild` alone is insufficient to configure a privileged AutoRole.

What the fix does

The patch adds a role-hierarchy validation inside the `/autorole add` command handler. Before storing the selected role, the code now checks that the invoking member's highest role is above the target role, mirroring Discord's own hierarchy rule. This prevents a user with only `ManageGuild` from configuring a role they could not normally assign. The join-time assignment logic is unchanged because the configuration-time gate eliminates the vulnerability at the source.

Preconditions

  • authThe attacker must have Manage Server (ManageGuild) permission on the Discord guild.
  • authThe attacker must NOT have Manage Roles or Administrator permission.
  • configThe bot must have the Manage Roles permission.
  • configThe bot's highest role must be above a role that has the Administrator permission.
  • inputThe attacker must control a second Discord account that can join the guild.

Generated on Jun 11, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

2

News mentions

0

No linked articles in our index yet.