CVE-2026-47172— Quest Bot 安全漏洞

Quest Bot: Untrusted pull request code can be built and deployed by privileged `workflow_run` deployment.

Quest Bot is an opensource modern Discord Bot built for moderation, utilities and support. Prior to version 1.0.3, the repository has a privileged deploy workflow that runs after the unprivileged build workflow completes. The build workflow runs on pull requests, and the deploy workflow checks out the triggering workflow’s head_sha, builds that code into a Docker image, pushes it as latest, and triggers production deployment. If an attacker can open a pull request from a branch named main, the deploy workflow condition can treat the PR build as deployable and build the attacker-controlled commit in a privileged deployment context. This can result in malicious container deployment and production bot compromise. This issue has been patched in version 1.0.3.

N/A

从非可信控制范围包含功能例程

Quest Bot 安全漏洞

Quest Bot是Duck Organization开源的一款多功能Discord社区管理机器人。 Quest Bot 1.0.3之前版本存在安全漏洞，该漏洞源于部署工作流条件检查不当，可能导致攻击者通过分支名为main的拉取请求在特权部署环境中构建恶意代码，导致恶意容器部署和生产机器人被破解。

N/A

N/A