Full Report
Hackers are exploiting two authentication bypass vulnerabilities in the Qinglong open-source task scheduling tool to deploy cryptominers on developers' servers. [...]
Analysis Summary
# Vulnerability: Authentication Bypass Chained for RCE in Qinglong Task Scheduler
## CVE Details
- **CVE ID:** CVE-2026-3965, CVE-2026-4047
- **CVSS Score:** Not explicitly listed (estimated High/Critical due to RCE and active exploitation)
- **CWE:** CWE-288 (Authentication Bypass Using an Alternate Path or Channel)
## Affected Systems
- **Products:** Qinglong (Open-source task scheduling/time management platform)
- **Versions:** 2.20.1 and older
- **Configurations:** Systems with publicly exposed panels; impacts various architectures including Linux x86_64, ARM64, and macOS.
## Vulnerability Description
The vulnerability consists of two distinct flaws in the middleware authorization logic that, when chained, allow for Remote Code Execution (RCE):
- **CVE-2026-3965:** A misconfigured rewrite rule maps `/open/*` requests to `/api/*`, exposing protected administrative endpoints through an unauthenticated path.
- **CVE-2026-4047:** A case-sensitivity mismatch. The authentication middleware treats paths as case-sensitive (`/api/`), while the Express.js router matches them case-insensitively. Attackers can use variations like `/aPi/...` to bypass security checks.
By bypassing authentication, attackers can modify the `config.sh` file to inject shell commands, leading to full system compromise.
## Exploitation
- **Status:** Exploited in the wild (active since February 7, 2026).
- **Complexity:** Low.
- **Attack Vector:** Network (Remote).
## Impact
- **Confidentiality:** High (Access to administrative endpoints and configuration files).
- **Integrity:** High (Modification of configuration files and injection of malicious shells).
- **Availability:** High (Resource exhaustion due to cryptomining; CPU usage at 85-100%).
## Remediation
### Patches
- **Recommended Version:** Update to the latest version of Qinglong (post-PR #2941).
- **Note:** Initial attempts to fix the issue (PR #2924) focused on command injection patterns and were deemed insufficient. The comprehensive fix was implemented in **Pull Request #2941**, which addressed the core authentication bypass in the middleware.
### Workarounds
- Immediate isolation of Qinglong panels from the public internet.
- Deployment behind a Reverse Proxy with strict path-based access control lists (ACLs) that enforce case-sensitivity or block specific URL patterns.
## Detection
- **Indicators of Compromise (IoC):**
- **Proces Name:** `.fullgc` (Hidden process mimicking "Full Garbage Collection").
- **File Path:** `/ql/data/db/.fullgc`
- **Network Activity:** Downloads from `file[.]551911[.]xyz`.
- **Detection Methods:**
- Monitor for unusually high CPU utilization (85-100%).
- Inspect `config.sh` for unauthorized shell command injections.
- Review web server logs for suspicious request patterns such as `/aPi/` or unexpected `/open/` traversals.
## References
- **Snyk Research:** hxxps[://]snyk[.]io/blog/qinglong-task-scheduler-rce-vulnerabilities/
- **GitHub Issues:**
- hxxps[://]github[.]com/whyour/qinglong/issues/2923
- hxxps[://]github[.]com/whyour/qinglong/issues/2926
- hxxps[://]github[.]com/whyour/qinglong/issues/2928
- **Vendor PR:** hxxps[://]github[.]com/whyour/qinglong/pull/2941