BREAKINGVERIFIEDBy Xavier Rivera· ·1 min read
Hackers Exploit RCE Flaws in Qinglong Scheduler for Cryptomining
Hackers chain two authentication bypass flaws in Qinglong versions 2.20.1 and older for RCE and cryptomining since early February. Snyk reports ongoing attacks on exposed panels, with a proper fix only in recent PR #2941.
Source:BleepingComputer
TL;DRAI · 60 sec read
Hackers exploit two authentication bypass vulnerabilities in the Qinglong open-source task scheduling tool to deploy cryptominers on developers' servers.
Exploitation began in early February 2026, before Snyk researchers publicly disclosed the issues at month's end. Qinglong, a self-hosted time management platform popular among Chinese developers, boasts over 3,200 forks and 19,000 GitHub stars. The flaws affect versions 2.20.1 and older, chainable for remote code execution.
CVE-2026-3965 stems from a misconfigured rewrite rule mapping '/open/*' requests to '/api/*', exposing admin endpoints. CVE-2026-4047 arises because authentication checks treat paths as case-sensitive while Express.js routing is case-insensitive, allowing bypasses like '/aPi/...'. Snyk attributes both to a mismatch between middleware authorization and framework behavior.
Attackers targeted public Qinglong panels starting February 7, injecting shell commands via modified config.sh to download miners from file.551911.xyz. These include Linux x86_64, ARM64, and macOS variants, executed as a hidden '.fullgc' process consuming 85% to 100% CPU—mimicking 'Full GC' to evade detection. Infections hit setups behind Nginx and SSL.
Qinglong maintainers acknowledged the issues on March 1, releasing PR #2924 to block command injection—deemed insufficient by Snyk. The effective fix arrived in PR #2941, correcting the authentication bypass.
Exploitation began in early February 2026, before Snyk researchers publicly disclosed the issues at month's end. Qinglong, a self-hosted time management platform popular among Chinese developers, boasts over 3,200 forks and 19,000 GitHub stars. The flaws affect versions 2.20.1 and older, chainable for remote code execution.
CVE-2026-3965 stems from a misconfigured rewrite rule mapping '/open/*' requests to '/api/*', exposing admin endpoints. CVE-2026-4047 arises because authentication checks treat paths as case-sensitive while Express.js routing is case-insensitive, allowing bypasses like '/aPi/...'. Snyk attributes both to a mismatch between middleware authorization and framework behavior.
Attackers targeted public Qinglong panels starting February 7, injecting shell commands via modified config.sh to download miners from file.551911.xyz. These include Linux x86_64, ARM64, and macOS variants, executed as a hidden '.fullgc' process consuming 85% to 100% CPU—mimicking 'Full GC' to evade detection. Infections hit setups behind Nginx and SSL.
Qinglong maintainers acknowledged the issues on March 1, releasing PR #2924 to block command injection—deemed insufficient by Snyk. The effective fix arrived in PR #2941, correcting the authentication bypass.
HELP US IMPROVE
Reader-supported
The Circuitry is a passion project I've always wanted to build, and I love the work behind it.
Running it costs real money. APIs, hosting, time. To keep improving the site and growing this into something useful for everyone, those costs have to be covered.
Any contribution is appreciated. If not, no pressure. Thanks for reading.
EXPERT TAKE
Expert Take: Self-hosted Qinglong admins must upgrade to PR #2941 and restrict public exposure to block these auth bypass chains.