Hackers exploit RCE flaws in Qinglong task scheduler for cryptomining
Source: Bleeping Computer
Hackers are exploiting two authentication bypass vulnerabilities in the Qinglong open‑source task scheduling tool to deploy cryptominers on developers’ servers.
Exploitation started in early February, before the security issues were disclosed publicly at the end of the month, according to researchers at cloud‑native application security company Snyk.
Qinglong is a self‑hosted open‑source time‑management platform popular among Chinese developers. It has been forked more than 3,200 times and has over 19,000 stars on GitHub.
Vulnerabilities
The two security problems affect Qinglong versions 2.20.1 and older and can be chained to achieve remote code execution (RCE).
CVE‑2026‑3965
A misconfigured rewrite rule maps /open/* requests to /api/*, unintentionally exposing protected admin endpoints through an unauthenticated path.
CVE‑2026‑4047
The authentication check treats paths as case‑sensitive (/api/), while the router matches them case‑insensitively, allowing requests like /aPi/... to bypass authentication and reach protected endpoints.
Root cause: a mismatch between middleware authorization logic and Express.js routing behavior.
“Both vulnerabilities stem from a mismatch between the security middleware’s assumptions and the framework’s behavior,” Snyk researchers explain.
“The auth layer assumed certain URL patterns would always be handled one way, while Express.js treated them differently.”
Attack Timeline & Impact
- February 7 2024: Snyk reports attackers targeting publicly exposed Qinglong panels to deploy cryptominers.
- Early reports: Qinglong users noticed a rogue hidden process named
.fullgcconsuming 85‑100 % of CPU. The name mimics “Full GC,” an innocuous but resource‑intensive process, to evade detection.
User report on GitHub - Method: Attackers modified
config.sh, injected shell commands that downloaded a miner to/ql/data/db/.fullgc, and executed it in the background. The binary was fetched fromfile.551911.xyz, which hosted variants for Linux x86_64, ARM64, and macOS. - Continued activity: Multiple confirmed infections across various setups, including behind Nginx and SSL.
Continued attacks
Confirmed infections - March 1 2024: Qinglong maintainers acknowledged the vulnerability and urged users to install the latest update. The initial mitigation in pull request #2924 focused on blocking command‑injection patterns but was deemed insufficient.
- Effective fix: PR #2941 corrected the authentication bypass in the middleware, providing a proper resolution.
Mitigation
- Upgrade to the latest Qinglong release (post‑PR #2941) which includes the authentication bypass fix.
- Review and harden any publicly exposed Qinglong instances, ensuring that rewrite rules and routing configurations do not expose admin endpoints.
- Monitor for unexpected processes (e.g.,
.fullgc) and unauthorized modifications toconfig.shor other critical scripts.