CVE-2026-47172
Quest Bot: Untrusted pull request code can be built and deployed by privileged `workflow_run` deployment.
Quest Bot is an opensource modern Discord Bot built for moderation, utilities and support. Prior to version 1.0.3, the repository has a privileged deploy workflow that runs after the unprivileged build workflow completes. The build workflow runs on pull requests, and the deploy workflow checks out the triggering workflow’s head_sha, builds that code into a Docker image, pushes it as latest, and triggers production deployment. If an attacker can open a pull request from a branch named main, the deploy workflow condition can treat the PR build as deployable and build the attacker-controlled commit in a privileged deployment context. This can result in malicious container deployment and production bot compromise. This issue has been patched in version 1.0.3.
| CWE | CWE-829 |
| Vendor | duck-organization |
| Product | quest-bot |
| Published | Jun 11, 2026 |
| Last Updated | Jun 11, 2026 |
Get instant alerts for duck-organization quest-bot
Be the first to know when new unknown vulnerabilities affecting duck-organization quest-bot are published — delivered to Slack, Telegram or Discord.