Qinglong Task Scheduler RCE Vulnerabilities Exploited in the Wild

In early 2026, two critical authentication bypass vulnerabilities in the popular open-source Qinglong task scheduler were actively exploited by hackers.

According to Snyk security reports, unauthenticated attackers breached publicly accessible panels, achieving remote code execution to install a hidden, resource-draining cryptominer named .fullgc.

Qinglong is a self-hosted task scheduling dashboard that supports multiple scripting languages, including Python 3 and JavaScript.

Snyk notes that the project has gained massive popularity, particularly among the Chinese developer community, accumulating over 19,000 stars on GitHub.

Users frequently deploy the platform on cloud virtual private servers and home networks using Docker containers.

Cryptomining Campaign

Around February 7, 2026, administrators began noticing abnormal activity. BleepingComputer highlights that sudden CPU spikes pushed server capacity to 100%.

Attackers exploited the unpatched flaws to modify Qinglong’s configuration script, quietly downloading the. fullgc cryptominer disguised as a Java garbage collection process.

This deceptive naming convention was designed to delay administrative investigations while the malware consumed system resources.

The attacks were made possible by two severe flaws in Qinglong versions 2.20.1 and earlier.

Snyk researchers explain that both vulnerabilities stem from a mismatch between the security middleware assumptions and the Express.js framework’s routing behavior.

CVE-2026-3965, detailed in GitHub Issue #2933, arises from a URL rewrite rule that incorrectly maps /open/* requests to protected /api/* endpoints.

This flaw allows an attacker to reinitialize and reset administrative credentials with a single unauthenticated request.

CVE-2026-4047, detailed in GitHub Issue #2934, exploits case-insensitive URL handling by altering request casing (e.g., /aPi/) to bypass protections on /api/ endpoints.

Snyk’s vulnerability database shows that this grants direct remote code execution without requiring a credential reset.

Incident Timeline

The exploitation remained largely unnoticed by the English-speaking security community while wreaking havoc on developer forums.

• February 7-8: Initial users report the .fullgc cryptominer causing severe CPU exhaustion.
• February 10: The community requests a public warning as infections spread across different deployment setups.
• February 27: Researchers publicly disclose the root cause as two distinct authentication bypass vulnerabilities.
• March 1: The platform maintainers confirm the security flaws and urge users to apply the latest updates.

Initially, GitHub pull requests showed the community attempting to mitigate the threat by filtering malicious inputs, but this proved inadequate against the underlying access control flaw.

The maintainers ultimately resolved the vulnerability by directly fixing the middleware’s authentication logic.

To secure their systems, operators should immediately update their Docker containers, audit for hidden .fullgc files, and place self-hosted panels behind secure VPNs.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Qinglong Task Scheduler RCE Vulnerabilities Exploited in the Wild appeared first on Cyber Security News.