VYPR
← All advisories
High severityNVD Advisory· Published Jun 12, 2026· Updated Jun 12, 2026

CVE-2026-47197

CVE-2026-47197

Description

Moderators with permission bits but lower role hierarchy can moderate users above them via Quest Bot before 1.1.6, bypassing Discord's role protections.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Moderators with permission bits but lower role hierarchy can moderate users above them via Quest Bot before 1.1.6, bypassing Discord's role protections.

Vulnerability

In Quest Bot versions prior to 1.1.6, the bot's moderation commands (ban, kick, mute, unmute, warn, rename) only check whether the invoking member has the required permission bit (e.g., BanMembers, KickMembers, ModerateMembers). They do not verify whether the invoking member's highest role is hierarchically above the target member's role. The bot instead relies on the bot's own role hierarchy to determine if the target is bannable, kickable, or moderatable. This lack of invoker-relative hierarchy check allows a lower-ranked moderator to target users with higher roles, as long as the bot's role is high enough [1].

Exploitation

An attacker needs a Discord permission bit that corresponds to one of the affected commands (e.g., BanMembers for the ban command) and must be able to invoke the bot's slash commands. The attacker does not need to have a role higher than the target; only the bot itself must outrank the target. The steps are: (1) the attacker selects the target member via a slash-command option, (2) the bot performs the permission bit check on the attacker (which passes), (3) the bot checks the target's bannable/kickable/moderatable property (which is bot-relative and passes if the bot's role is high enough), (4) the bot executes the moderation action, effectively bypassing Discord's normal role hierarchy enforcement [1].

Impact

A lower-ranked moderator can ban, kick, timeout, untimeout, warn, or rename users who are above them in the Discord role hierarchy. This can lead to unauthorized removal of high-privilege users, disruption of server operations, and privilege escalation within the server's administrative structure. The compromise is a buypass of the intended access control, allowing actions that should be restricted to higher-ranking moderators [1].

Mitigation

The vulnerability is fixed in Quest Bot version 1.1.6, released on the same date as the advisory [1][2]. Users are strongly advised to upgrade to v1.1.6 immediately. No workaround is documented for earlier versions other than removing the permission bits from lower-ranked moderators until an upgrade can be performed [1].

References
  1. Discord moderation role hierarchy bypass in ban, kick, mute, unmute, warn, and nickname commands
  2. Release questbot-v1.1.6 · duck-organization/questbot

AI Insight generated on Jun 12, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Missing invoker-versus-target role hierarchy check in moderation commands allows a lower-ranked moderator to use the bot to act on higher-ranked users."

Attack vector

An attacker who is a moderator with a lower role can use the bot to moderate users who hold a higher role, bypassing Discord's built-in role hierarchy protection. The attacker invokes any of the bot's slash commands (ban, kick, mute, unmute, warn, or nick) and selects a target member whose role is above the attacker's own role but below the bot's role. The bot checks only the attacker's permission bit and the target's bannable/kickable/moderatable/manageable property (which is relative to the bot, not the invoker), so the action succeeds even though the attacker should not be allowed to moderate that target [ref_id=1].

Affected code

The vulnerability exists in multiple moderation command handlers under `apps/bot/src/commands/moderation/`, including `ban.ts`, `kick.ts`, `mute/mute.ts`, `mute/unmute.ts`, `warn/warn.ts`, and `nick.ts`, as well as the library files `apps/bot/src/lib/bans.ts` and `apps/bot/src/lib/mutes.ts`. Each command checks only whether the invoking member has the required Discord permission bit and whether the target is bannable/kickable/moderatable/manageable relative to the bot, but never compares the invoking member's highest role position against the target's highest role position [ref_id=1].

What the fix does

The patch adds a missing invoker-versus-target role hierarchy check before executing each moderation action. Specifically, the code must compare `member.roles.highest.position` against `targetMember.roles.highest.position`, with proper handling for server owner and self-targeting exceptions. This ensures that a moderator cannot use the bot to act on a user whose highest role is equal to or higher than the moderator's highest role, restoring Discord's intended hierarchy enforcement [ref_id=1].

Preconditions

  • configThe bot's role must be positioned above the target user's highest role in the Discord server role list.
  • authThe attacker must have a Discord role that is lower than the target's role but still grants the relevant permission bit (Ban Members, Kick Members, Moderate Members, or Manage Nicknames).
  • networkThe attacker must be able to invoke the bot's slash commands in a guild where the bot is present.
  • inputThe attacker must supply a valid target member via the slash-command options.

Generated on Jun 12, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

2

News mentions

0

No linked articles in our index yet.