CVE-2026-47172
Quest Bot is an opensource modern Discord Bot built for moderation, utilities and support
Published: 2026-06-11 · Last updated: 2026-06-11
Severity and scoring
- CWE
- CWE-829
Description
Quest Bot is an opensource modern Discord Bot built for moderation, utilities and support. Prior to version 1.0.3, the repository has a privileged deploy workflow that runs after the unprivileged build workflow completes. The build workflow runs on pull requests, and the deploy workflow checks out the triggering workflow’s head_sha, builds that code into a Docker image, pushes it as latest, and triggers production deployment. If an attacker can open a pull request from a branch named main, the deploy workflow condition can treat the PR build as deployable and build the attacker-controlled commit in a privileged deployment context. This can result in malicious container deployment and production bot compromise. This issue has been patched in version 1.0.3.
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-47172
- [Other]https://github.com/duck-organization/questbot/releases/tag/questbot-v1.0.3
- [Other]https://github.com/duck-organization/questbot/security/advisories/GHSA-9qf3-c86c-j346
- [Other]https://github.com/duck-organization/questbot/security/advisories/GHSA-9qf3-c86c-j346
Related CVEs
Same CWE
- CVE-2026-53810 — OpenClaw before 2026.5.18 contains a code execution vulnerability where marketplace runtime extension metadata can redirect loading towar... (8.8 HIGH)
- CVE-2026-52858 — Vim is an open source, command line text editor
- CVE-2026-47174 — In Duck Site before version 1.0.1, the repository has a deploy workflow that runs after the build workflow completes
- CVE-2026-46529 — Atril Document Viewer is the default document reader of the MATE desktop environment for Linux
- CVE-2026-47292 — Inclusion of functionality from untrusted control sphere in Visual Studio Code allows an unauthorized attacker to elevate privileges locally (7.8 HIGH)