Hackers are exploiting two authentication bypass vulnerabilities in the Qinglong open-source task scheduling tool to deploy cryptominers on developers’ servers.
Exploitation started in early February, before the security issues were disclosed publicly at the end of the month, according to researchers at cloud-native application security company Snyk.
Qinglong is a self-hosted open-source time management platform popular among Chinese developers. It has been forked more than 3,200 times and has over 19,000 stars on GitHub.
The two security problems impact Qinglong versions 2.20.1 and older and can be chained to achieve remote code execution:
- CVE-2026-3965: A misconfigured rewrite rule maps ‘/open/*’ requests to ‘/api/*’, unintentionally exposing protected admin endpoints through an unauthenticated path
- CVE-2026-4047: The authentication check treats paths as case-sensitive (/api/), while the router matches them case-insensitively, allowing requests like ‘/aPi/…’ to bypass authentication and reach protected endpoints.
The root cause in both flaws is a mismatch between middleware authorization logic and Express.js routing behavior.
“Both vulnerabilities stem from a mismatch between the security middleware’s assumptions and the framework’s behavior,” Snyk researchers explain.
“The auth layer assumed certain URL patterns would always be handled one way, while Express.js treated them differently.”
Snyk reports that attackers have been targeting these two flaws on publicly exposed Qinglong panels to deploy cryptominers since February 7.
This activity was first spotted by Qinglong users, who reported about a rogue hidden process named ‘.fullgc’ utilizing between 85% and 100% of their CPU power.
The name deliberately mimics “Full GC,” an innocuous but resource-intensive process, to evade detection.
According to Snyk, the attackers exploited the flaws to modify Qinglong’s config.sh and injected shell commands that downloaded a miner to ‘/ql/data/db/.fullgc,’ and executed it in the background.
The remote resource located at ‘file.551911.xyz’ hosted multiple variants of the binary, including for Linux x86_64, ARM64, and macOS.
The attacks continued with multiple confirmed infections across various setups, including behind Nginx and SSL, while the Qinglong maintainers only responded to the situation on March 1.
The maintainer acknowledged the vulnerability and urged users to install the latest update. However, the mitigation in pull release #2924 focused on blocking command injection patterns, which Snyk says was insufficient.
The researchers report that the effective fix came in PR #2941, which corrected the authentication bypass in the middleware.
AI chained four zero-days into one exploit that bypassed both renderer and OS sandboxes. A wave of new exploits is coming.
At the Autonomous Validation Summit (May 12 & 14), see how autonomous, context-rich validation finds what’s exploitable, proves controls hold, and closes the remediation loop.
