Qinglong Vulnerabilities Enable RCE, Exploited in Attacks

Threat actors have been actively exploiting two critical authentication bypass vulnerabilities in Qinglong, a widely used open-source task scheduling platform, to deploy cryptomining malware on exposed servers since early February 2026.

Discovered and disclosed by Snyk researchers, the flaws affect all versions up to and including 2.20.1 and are now tracked as CVE-2026-3965 and CVE-2026-4047.

Qinglong refers to a self-hosted task management panel supporting Python3, JavaScript, Shell, and TypeScript scripts.

Critical Qinglong Vulnerabilities Enable RCE

With over 19,000 GitHub stars and 3,200 forks, the platform is widely deployed by Chinese-speaking developers on cloud VPS instances and home servers, primarily distributed via Docker.

Both vulnerabilities exploit a fundamental mismatch between the authentication middleware and Express.js routing behavior:

• CVE-2026-3965 (URL Rewriting Bypass): A misconfigured rewrite rule maps /open/* requests directly to /api/*, unintentionally exposing protected admin endpoints without authentication. An attacker could send a single unauthenticated PUT request to /open/user/init to reset admin credentials and gain full panel control.
• CVE-2026-4047 (Case-Sensitive Path Bypass): The authentication middleware checks for paths beginning with /api/ using case-sensitive matching, while Express.js routes requests case-insensitively.

Sending a request to /aPi/system/command-run bypasses the auth check entirely, granting unauthenticated Remote Code Execution (RCE) without any credential reset.

Exploitation began as early as February 7, 2026, weeks before formal vulnerability disclosure on February 27.

Attackers modified Qinglong’s config.sh configuration file to inject a shell script that downloads a platform-specific binary supporting Linux and macOS variants from the domain.

The binary was saved as a hidden file named .fullgc and launched as a persistent background process.

The .fullgc naming is deliberate: it mimics “Full GC” (Full Garbage Collection), according to Snyk, a legitimate JVM event known to spike CPU usage, effectively camouflaging attacker activity.

Affected systems reported 85–100% CPU saturation, with infections confirmed even on setups behind Nginx reverse proxies and SSL. Alibaba Cloud (Aliyun) flagged several impacted instances for anomalous cryptomining activity.

Patch and Mitigation

The Qinglong maintainer acknowledged the vulnerabilities on March 1, 2026, urging immediate updates.

The root fix arrived via PR #2941, addressing the authentication bypass at the middleware level and implementing the correct security approach rather than payload-level filtering.

Administrators running Qinglong should immediately:

• Update to the latest patched Docker image
• Check for the .fullgc binary at /ql/data/db/.fullgc
• Scan config.sh for references to 551911 or fullgc
• Audit running processes with ps aux | grep fullgc
• Restrict panel exposure behind a VPN or SSH tunnel rather than direct internet access.

This incident underscores a persistent security anti-pattern: when authorization middleware and the routing framework disagree on how a request is classified, authentication bypasses become trivial to exploit, a risk that extends well beyond any single framework or project.

Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.

The post Qinglong Vulnerabilities Enable RCE, Exploited in Attacks appeared first on Cyber Security News.