Qinglong Task Scheduler RCE Flaws Exploited Vulnerabilities Wild

Early 2026 saw hackers actively exploiting two critical authentication bypass vulnerabilities in the popular open-source Qinglong task scheduler.

According to Snyk security reports, unauthenticated attackers breached publicly accessible panels, achieving remote code execution to install a hidden, resource-draining cryptominer named .fullgc.

Qinglong is a self-hosted task scheduling dashboard that supports multiple scripting languages, including Python 3 and JavaScript.

Snyk notes that the project has gained massive popularity, particularly among the Chinese developer community, accumulating over 19,000 stars on GitHub.

Users frequently deploy the platform on cloud virtual private servers and home networks using Docker containers.

Cryptomining Campaign

Around February 7, 2026, administrators began noticing abnormal activity. BleepingComputer highlights that sudden CPU spikes pushed server capacity to 100%.

Attackers exploited the unpatched flaws to modify Qinglong’s configuration script, quietly downloading the. fullgc cryptominer disguised as a Java garbage collection process.

This deceptive naming convention was designed to delay administrative investigations while the malware consumed system resources.

The attacks were made possible by two severe flaws in Qinglong versions 2.20.1 and earlier.

Snyk researchers explain that both vulnerabilities stem from a mismatch between the security middleware assumptions and the Express.js framework’s routing behavior.

CVE-2026-3965, detailed in GitHub Issue #2933, arises from a URL rewrite rule that incorrectly maps /open/* requests to protected /api/* endpoints.

This flaw allows an attacker to reinitialize and reset administrative credentials with a single unauthenticated request.

CVE-2026-4047, detailed in GitHub Issue #2934, exploits case-insensitive URL handling by altering request casing (e.g., /aPi/) to bypass protections on /api/ endpoints.

Snyk’s vulnerability database shows that this grants direct remote code execution without requiring a credential reset.

Incident Timeline

The exploitation remained largely unnoticed by the English-speaking security community while wreaking havoc on developer forums.

• February 7-8: Initial users report the .fullgc cryptominer causing severe CPU exhaustion.
• February 10: The community requests a public warning as infections spread across different deployment setups.
• February 27: Researchers publicly disclose the root cause as two distinct authentication bypass vulnerabilities.
• March 1: The platform maintainers confirm the security flaws and urge users to apply the latest updates.

Initially, GitHub pull requests showed the community attempting to mitigate the threat by filtering malicious inputs, but this proved inadequate against the underlying access control flaw.

The maintainers ultimately resolved the vulnerability by directly fixing the middleware’s authentication logic.

To secure their systems, operators should immediately update their Docker containers, audit for hidden .fullgc files, and place self-hosted panels behind secure VPNs.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.