Hackers exploit RCE flaws in Qinglong task scheduler for cryptomining

Published:

29 april 2026 om 20:50:35

Alert date:

29 april 2026 om 21:06:00

Source:

bleepingcomputer.com

Enterprise Applications, Ransomware & Malware, Supply Chain & Dependencies

Hackers are actively exploiting two authentication bypass vulnerabilities in the Qinglong open-source task scheduling tool to deploy cryptocurrency miners on developers' servers. The vulnerabilities allow remote code execution, enabling attackers to compromise systems and install cryptomining malware. This represents an ongoing threat to organizations using the Qinglong task scheduler in their development environments.

Technical details

Two authentication bypass vulnerabilities in Qinglong task scheduler can be chained to achieve remote code execution. CVE-2026-3965 involves a misconfigured rewrite rule mapping '/open/*' requests to '/api/*', exposing protected admin endpoints. CVE-2026-4047 exploits case-sensitivity mismatch where authentication checks treat paths as case-sensitive while router matches them case-insensitively. Both flaws stem from mismatch between middleware authorization logic and Express.js routing behavior. Attackers exploit these to modify config.sh and inject shell commands that download cryptominers.

Mitigation steps:

Install the latest Qinglong update. The effective fix came in PR #2941 which corrected the authentication bypass in the middleware. Monitor for processes named '.fullgc' that consume high CPU resources between 85-100%. Check for modifications to config.sh file and unauthorized downloads to /ql/data/db/ directory.

Affected products:

Qinglong task scheduler versions 2.20.1 and older