CVE-2026-3965 critical Patched AI Draft

Qinglong Task Scheduler Authentication Bypass RCE (CVE-2026-3965)

CVE CVE-2026-3965 Platform @whyour/qinglong before 2.20.2 Type Remote Code Execution

Severity CRITICAL

Status Patched

Zero-Day Confirmed

Disclosed February 26, 2026

Patched March 1, 2026

Days in the Wild 23

Researcher Edward W

CISA KEV Not Listed

Severity Assessment

Exploitability: 9/10
Impact: 9/10
Weaponization Risk: 9/10
Patch Urgency: 9/10
Detection Coverage: 5/10

Summary

CVE-2026-3965 is a critical authentication bypass leading to unauthenticated remote code execution in the Qinglong task scheduler (@whyour/qinglong) at versions up to and including 2.20.1. According to Snyk, an Express.js middleware in back/loaders/express.ts rewrote requests from /open/* to /api/$1, which allowed a remote attacker to reach protected administrative endpoints without valid credentials, complete the server initialisation flow after configuration, reset the administrator password, and obtain administrative control of the instance. With that access, an attacker could invoke Qinglong’s command and configuration functionality to execute arbitrary commands on the host.

Snyk Vulnerability Database records the disclosure date as 2026-02-26, and a public GitHub issue documented CVE-2026-3965 on 2026-02-27. The upstream project released version 2.20.2 on 2026-03-01, and the National Vulnerability Database identifies commit 6bec52dca158481258315ba0fc2f11206df7b719 as the patch identifier.

Snyk reports that exploitation was already underway before public reporting, with user reports of CPU exhaustion appearing on or about 2026-02-07 to 2026-02-08 and tied to a cryptominer binary deployed through the vulnerability chain. Snyk lists the exploit maturity as attacked and a recommended CVSS score of 9.3 critical. The current CISA Known Exploited Vulnerabilities catalog did not list CVE-2026-3965 at the time of review, so CISA KEV is not used as exploitation confirmation.

Exploit Chain

Stage 1: Exposed Qinglong Instance

An attacker locates an internet-reachable Qinglong instance running an affected version at or below 2.20.1. Snyk’s reporting focused on self-hosted Qinglong panels that were reachable from external networks.

Stage 2: Authentication Bypass Through URL Rewriting

The attacker sends requests to the /open/* route. Snyk describes an Express.js middleware rule that rewrote those requests to /api/$1, creating an unintended path to protected administrative endpoints.

Stage 3: Administrative Control

Using the rewritten route, the attacker reaches functionality that should have required authentication. Snyk describes that this allowed a remote attacker to access the server initialisation flow after configuration, reset the administrator password, and obtain administrative access without authorisation.

Stage 4: Command Execution

With administrative access, the attacker reaches Qinglong’s command and configuration functionality. The public GitHub issue identifies the /command-run route under back/api/system.ts and demonstrates a PUT /api/system/command-run request whose command parameter is executed by the server. NVD similarly describes manipulation of the command argument in the API interface as leading to protection-mechanism failure.

Stage 5: Cryptomining Payload

In the activity reported by Snyk, attackers modified config.sh to inject a shell script, downloaded a platform-specific binary from file.551911.xyz, saved it as /ql/data/db/.fullgc, made it executable, and launched it as a cryptominer.

Detection Guidance

Identify Qinglong deployments and confirm the running version. Any instance at or below 2.20.1 is affected; the upstream v2.20.2 release contains the fix referenced by NVD.

Review HTTP access logs for requests to /open/* paths, especially requests that reach administrative endpoints or the system initialisation flow. Requests to /open/ from unexpected sources should be investigated because the documented issue relies on URL rewriting from that route family into API endpoints.

Look for PUT requests to /api/system/command-run or rewritten routes that reach command execution functionality and include a command parameter. Also review administrative audit logs for unexpected password resets, first-run initialisation events on already-deployed instances, or configuration edits that do not match operator activity.

On hosts, monitor for unexpected changes to Qinglong’s config.sh, creation or execution of /ql/data/db/.fullgc, sustained CPU exhaustion, and outbound network connections to file.551911.xyz or other untrusted download hosts.

Indicators of Compromise

File And Host Indicators

/ql/data/db/.fullgc
Unexpected modifications to Qinglong config.sh
Sustained high CPU utilisation on Qinglong hosts

Network Indicators

Outbound download traffic to file.551911.xyz
Suspicious requests to Qinglong /open/* routes that reach administrative API functionality
Requests to command-execution endpoints with attacker-supplied command parameters

These indicators come from the activity described by Snyk and should be treated as historical evidence from one observed cryptomining campaign, not a complete detection list for all possible exploitation.

Disclosure Timeline

2026-02-07 To 2026-02-08 — Early User Reports

Snyk reports that Qinglong users began reporting CPU exhaustion around 2026-02-07 to 2026-02-08, later tied to cryptomining activity using a .fullgc payload.

2026-02-26 — Snyk Disclosure Date

Snyk Vulnerability Database records CVE-2026-3965 as disclosed on 2026-02-26 and credits Edward W.

2026-02-27 — Public GitHub Issue

A public GitHub issue described CVE-2026-3965 against whyour/qinglong v2.20.1, including a proof-of-concept request to the command execution endpoint.

2026-03-01 — Upstream Release

The upstream whyour/qinglong project published v2.20.2. NVD identifies commit 6bec52dca158481258315ba0fc2f11206df7b719 as the patch identifier.

2026-03-12 — Snyk Vulnerability Database Entry Published

Snyk Vulnerability Database published SNYK-JS-WHYOURQINGLONG-15440732 and marked the exploit maturity as attacked.

2026-04-27 — Snyk Technical Write-Up

Snyk published a detailed write-up describing Qinglong task scheduler RCE vulnerabilities exploited in the wild for cryptomining.

Sources & References

Snyk: Qinglong task scheduler RCE vulnerabilities exploited in the wild for cryptomining — Snyk, 2026-04-27
Snyk Vulnerability Database: Remote Code Execution in @whyour/qinglong (SNYK-JS-WHYOURQINGLONG-15440732) — Snyk Vulnerability Database, 2026-03-12
National Vulnerability Database: CVE-2026-3965 — National Vulnerability Database, 2026-05-14
GitHub: CVE-2026-3965 whyour/qinglong Remote Command Execution Vulnerability — GitHub, 2026-02-27
GitHub: whyour/qinglong v2.20.2 release — GitHub, 2026-03-01
GitHub: whyour/qinglong patch commit 6bec52dca158481258315ba0fc2f11206df7b719 — GitHub, 2026-05-14