Qinglong Task Scheduler Flaws Exploited for Crypto Mining
Key Takeaways
- Two CVEs in Qinglong versions 2.20.1 and older allow authentication bypass and remote code execution
- Attackers have deployed cryptominers disguised as '.fullgc' since February 7, before public disclosure
- The effective fix arrived in PR #2941, not the initial mitigation in PR #2924
What Happened
Hackers are actively exploiting two authentication bypass vulnerabilities in Qinglong, an open-source task scheduling tool popular among Chinese developers. The attacks began on February 7, weeks before the security issues were publicly disclosed at the end of the month.
Researchers at cloud-native security company Snyk discovered the exploitation campaign. Qinglong has been forked more than 3,200 times and has over 19,000 stars on GitHub, making it a high-value target.
The attackers chain two flaws to achieve remote code execution, then deploy cryptominers that consume between 85% and 100% of victims' CPU power.
The Two Vulnerabilities
Both flaws affect Qinglong versions 2.20.1 and older. They stem from a mismatch between how security middleware and Express.js handle URL patterns.
- CVE-2026-3965: A misconfigured rewrite rule maps '/open/' requests to '/api/', exposing protected admin endpoints through an unauthenticated path.
- CVE-2026-4047: The authentication check treats paths as case-sensitive (/api/), but the router matches them case-insensitively. Requests like '/aPi/...' bypass authentication entirely.
“Both vulnerabilities stem from a mismatch between the security middleware's assumptions and the framework's behavior. The auth layer assumed certain URL patterns would always be handled one way, while Express.js treated them differently.”
— Snyk researchers
How the Attack Works
Qinglong users first noticed something wrong when a hidden process named '.fullgc' appeared on their systems, maxing out CPU usage. The name was chosen deliberately. It mimics 'Full GC' (garbage collection), an innocuous but resource-intensive process, to avoid raising immediate alarms.
The attackers exploited the flaws to modify Qinglong's config.sh file. They injected shell commands that downloaded a miner binary to '/ql/data/db/.fullgc' and executed it in the background.
The remote server at 'file.551911.xyz' hosted multiple variants of the miner binary: Linux x86_64, ARM64, and macOS versions. This broadened the pool of vulnerable targets.
Snyk confirmed multiple infections across various setups, including instances running behind Nginx with SSL. Network security layers did not stop the attack because the exploitation happened at the application level.
Patching Was Slow and Incomplete
The Qinglong maintainers responded on March 1, nearly a month after exploitation started. The initial patch in pull request #2924 focused on blocking command injection patterns. Snyk says this was insufficient.
The effective fix came in PR #2941, which corrected the authentication bypass in the middleware itself. Users running Qinglong 2.20.1 or older should update immediately.
Who Is at Risk
Anyone running a publicly exposed Qinglong panel on version 2.20.1 or earlier is vulnerable. The tool is primarily used by Chinese developers for automated task scheduling, but its GitHub popularity means it has users worldwide.
Signs of compromise include unexplained high CPU usage and the presence of a '.fullgc' process. Administrators should check for modifications to config.sh and inspect the '/ql/data/db/' directory for suspicious files.
Lessons for Self-Hosted Tools
This incident highlights the risks of running self-hosted open-source tools with public-facing panels. The root cause was subtle: middleware and router disagreed about URL handling. These mismatches are common in Node.js applications built with Express.js.
Security teams should audit any self-hosted tools for similar authentication bypass patterns. Testing should include case variations in URL paths and unexpected route mappings.
Logicity's Take
Frequently Asked Questions
What is Qinglong and who uses it?
Qinglong is an open-source, self-hosted task scheduling platform popular among Chinese developers. It has over 19,000 GitHub stars and more than 3,200 forks.
How do I know if my Qinglong instance is compromised?
Look for a hidden process named '.fullgc' consuming 85-100% CPU. Check config.sh for unauthorized modifications and inspect '/ql/data/db/' for suspicious files.
Which Qinglong versions are affected?
Versions 2.20.1 and older are vulnerable. The effective fix is available in PR #2941.
Does running Qinglong behind Nginx or SSL protect against this attack?
No. Snyk confirmed infections on setups running behind Nginx with SSL. The exploitation happens at the application level.
What caused these vulnerabilities?
Both flaws stem from a mismatch between security middleware assumptions and Express.js routing behavior, particularly around URL pattern handling and case sensitivity.
Need Help Implementing This?
Source: BleepingComputer
Huma Shazia
Senior AI & Tech Writer
Related Articles
Browse all
Kraken Crypto Exchange Extortion: Hackers Threaten to Leak Internal Videos After Insider Breach
Cryptocurrency exchange Kraken is being extorted by hackers who obtained videos of internal systems through bribed support employees. The company says no funds were compromised and refuses to pay, with only about 2,000 accounts affected. Kraken is working with federal law enforcement to prosecute everyone involved.
Windows 11 KB5083769 and KB5082052: April 2026 Patch Tuesday Brings Smart App Control Changes and Security Fixes
Microsoft's April 2026 Patch Tuesday updates are now live for Windows 11, bringing critical security patches alongside a welcome change to Smart App Control. You can finally toggle SAC on or off without wiping your entire system. The updates cover versions 23H2, 24H2, and 25H2.
Zero Trust Identity Security: 5 Ways This Framework Actually Stops Credential Theft
Stolen credentials caused 22% of breaches in 2025, making them the top attack vector. Zero Trust promises to fix this, but only when it's built around identity as the core principle. Here's how organizations can implement it properly.
Open Source PR Backlogs: Why Your GitHub Contribution Sits Unreviewed for a Year
A developer's Jellyfin pull request has been waiting over a year for merge despite two approvals, exposing a systemic crisis in open source maintenance. Queuing theory explains why backlogs grow exponentially, and 60% of maintainers have quit or considered quitting due to burnout.
Also Read
Diablo 4's Echoing Hatred Mode Is So Rare, 45 Hours Wasn't Enough
The new Lord of Hatred expansion adds a hidden wave-defense mode called Echoing Hatred. But the key item to unlock it is so rare that a reviewer played 45 hours without finding one. He had to cheat using the review server's debug tools just to try it.
Motorola Razr Fold Undercuts Samsung, Google With May Launch
Motorola's first book-style foldable finally has a price and release date. The Razr Fold will go up for pre-order on May 14, 2026, priced below the Galaxy Z Fold 7 and Pixel 10 Pro Fold. It brings features missing from competitors: a silicon-carbon battery and optional stylus support.
Copy Fail Vulnerability Roots Any Linux Since 2017
A new privilege escalation vulnerability, CVE-2026-31431, affects every mainstream Linux distribution released since 2017. The exploit requires only a 732-byte Python script and an unprivileged local account to gain root access.