Two authentication bypass vulnerabilities (CVE-2026-3965 and CVE-2026-4047) in Qinglong, a popular open source task scheduling panel with 19,000+ GitHub stars, were actively exploited in early 2026 to deploy cryptomining malware. The first flaw abused URL rewriting in Express.js middleware to reach protected admin endpoints unauthenticated; the second exploited case-sensitive path matching to bypass auth checks entirely. Attackers injected a hidden binary called `.fullgc` that consumed 85-100% CPU and persisted across restarts. The incident highlights a common anti-pattern where authorization middleware and the routing layer disagree on how requests are classified. Key lessons include auditing middleware chains for URL normalization mismatches, placing self-hosted panels behind VPNs, monitoring container resource usage, and keeping Docker images updated.
Table of contents
TimelineWhat is Qinglong?The vulnerabilitiesThe cryptomining campaignHow the vulnerability was addressedLessons for self-hosted application securityThe bigger picturePrepare for zero-day vulnerabilities with SnykSort: