Qinglong scheduler RCE chain mines crypto on exposed Chinese dev servers

Two authentication bypass flaws in Qinglong, a self-hosted task scheduler with strong adoption among Chinese developers, are being chained for remote code execution and cryptominer deployment. CVE-2026-3965 stems from a rewrite rule that exposes protected admin endpoints via an unauthenticated path, while CVE-2026-4047 abuses a case-sensitivity mismatch between the auth middleware and Express.js routing — requests like /aPi/... slip past checks the middleware only applies to /api/. Both bugs trace to the middleware making assumptions that the underlying framework does not honor.

Snyk observed in-the-wild exploitation starting February 7, weeks before public disclosure. Attackers modified Qinglong’s config.sh to pull a miner from file.551911.xyz, dropping it at /ql/data/db/.fullgc — a name chosen to impersonate the legitimate Java Full GC process. Multi-architecture binaries (x86_64, ARM64, macOS) suggest a broader campaign, and victims first noticed the intrusion through CPU pegged at 85–100%.

Maintainers responded on March 1 with PR #2924 targeting command injection patterns, which Snyk flagged as inadequate. The actual auth-bypass fix landed later in PR #2941. The episode is a reminder that middleware-based authorization is only as sound as its alignment with the router’s matching semantics — case handling and path rewriting are routinely overlooked seams.