Critical Authentication Bypass and RCE Vulnerabilities Detected in Qinglong Task Scheduler

Security researchers and threat intelligence feeds have identified active exploitation of two severe authentication bypass vulnerabilities within Qinglong, a widely utilized open-source task scheduling platform.

These vulnerabilities present a high-risk attack vector, allowing unauthorized actors to achieve full system compromise and deploy resource-intensive cryptomining payloads on vulnerable infrastructure.

For context, Qinglong serves as a versatile, self-hosted orchestration engine, enabling developers to automate complex background workflows using a variety of runtimes, including Python, JavaScript, Shell, and TypeScript. Given its massive popularity—boasting over 19,000 stars on GitHub—it has become a prime target for automated scanning bots, particularly among users running the platform via Docker containers on home servers or cloud-based VPS instances.

Technical Breakdown: The Authentication Bypass Flaws

The current wave of exploitation targets Qinglong versions 2.20.1 and earlier. The root cause of these vulnerabilities lies in a fundamental architectural mismatch between the Express.js routing engine and the application’s custom security middleware implementation.

CVE-2026-3965: URL Rewriting & Account Takeover
The first vulnerability, tracked as CVE-2026-3965, involves a sophisticated URL rewriting flaw. By crafting a highly specific, unauthenticated request directed at public endpoints, an attacker can trigger a logic error that forces an administrative password reset. This effectively grants the attacker full administrative privileges over the Qinglong dashboard without needing prior credentials.

CVE-2026-4047: Case-Sensitivity Bypass leading to RCE
The second vulnerability, CVE-2026-4047, is even more critical, as it facilitates direct Remote Code Execution (RCE). As reported by Snyk, the application’s security layer is designed to inspect and validate URL paths, specifically looking for lowercase strings. However, because the underlying Express.js framework processes routes in a case-insensitive manner, attackers can bypass these security filters by simply changing the casing of a URL path (e.g., requesting /aPi/ instead of /api/). This bypass allows the injection of arbitrary system commands directly into the environment.

Threat Actor Behavior & Malware Analysis

Active exploitation of these flaws was observed starting in early February 2026. The primary indicator of compromise (IoC) for administrators has been sudden, unexplained spikes in CPU utilization, often reaching near 100% capacity.

Upon gaining entry, threat actors modify the Qinglong configuration files to initiate a download of a specialized malicious binary from a remote command-and-control (C2) server. To evade detection during routine system audits, the attackers employ a deceptive naming convention: they save the malware as .fullgc. This is a calculated attempt to mimic “Full Garbage Collection,” a standard high-resource background process in Java-based environments, thereby tricking administrators into ignoring the spike in activity.

The malware is highly sophisticated, featuring cross-platform support for multiple architectures, including both Linux and macOS. Furthermore, it includes a custom persistence mechanism designed to ensure that if an administrator identifies and terminates the malicious process, a secondary script will automatically re-instantiate the miner.

Remediation and Hardening Strategies

While early community-driven hotfixes attempted to mitigate the threat by blacklisting specific malicious input strings, these were merely “band-aid” solutions. A robust defense requires addressing the underlying logic flaws in the middleware. The Qinglong maintainers have since released official patches that correctly implement access-control logic.

Immediate Action Items:

  • Update Immediately: Administrators must pull the latest official Docker images to ensure all security patches are applied.
  • Threat Hunting: Perform a forensic audit of your deployment. Search for the existence of the hidden .fullgc file and inspect configuration files for any unauthorized outbound connections or unknown external domains.
  • Network Isolation: Exposing administrative automation tools directly to the public internet is a high-risk configuration. It is strongly recommended to gate these services behind a Virtual Private Network (VPN), an Identity-Aware Proxy, or a secure SSH tunnel.

Related Articles

Back to top button