In early 2026, thousands of developers running the popular Qinglong task scheduler noticed a terrifying trend: server CPU usage instantly hitting 100%. Investigations by Snyk and community researchers revealed that unauthenticated hackers were breaching publicly accessible dashboards to install a hidden cryptominer named .fullgc.
Qinglong, an open-source platform with over 19,000 GitHub stars, is a staple for the Chinese developer community and home-lab enthusiasts. By exploiting two critical authentication bypass flaws, attackers have effectively turned these self-hosted automation hubs into a massive, illegal mining network.
The Vulnerabilities: A Fatal Logic Mismatch
The exploits, tracked as CVE-2026-3965 and CVE-2026-4047, highlight a dangerous architectural flaw: a “logic mismatch” between Qinglong’s security middleware and the underlying Express.js framework.
1. The URL Rewrite Trap (CVE-2026-3965)
The system used a rule that mapped /open/* requests to protected /api/* endpoints. Attackers discovered they could send a single unauthenticated request to /open/user/init to reinitialize the admin account and reset the password, granting them total control of the panel.
2. The Case-Sensitivity Bypass (CVE-2026-4047)
While the security layer looked for protected routes using case-sensitive checks (e.g., /api/), Express.js is case-insensitive. By simply changing the request to /aPi/, hackers bypassed all authentication checks to execute remote code directly on the host system.
Timeline of a Silent Breach
While the technical cause was disclosed in late February, the “in-the-wild” damage began weeks earlier:
- Feb 7-8, 2026: First reports of
.fullgcmalware causing severe CPU exhaustion. - Feb 10, 2026: Public PoC exploits appear, accelerating the wave of infections.
- Feb 27, 2026: Snyk researchers officially link the infections to the Express.js routing flaws.
- March 1, 2026: Qinglong maintainers release a hard-coded fix for the authentication logic.
Inside the Payload: Deceptive Mining
The attackers used a clever naming convention to stay hidden. The malware binary, .fullgc, was designed to mimic a standard Java “Full Garbage Collection” process. To a busy administrator, a “garbage collection” process consuming high CPU looks like a performance bug rather than a malicious intrusion.
On Linux systems, the malware modifies the configuration scripts to ensure it restarts every time the container or host reboots, making manual removal difficult without a full system audit.
How to Secure Your Qinglong Instance
If you are running Qinglong version 2.20.1 or earlier, your system is likely compromised or at extreme risk.
- Update Immediately: Pull the latest Docker image (v2.20.2 or higher) which fixes the middleware routing logic.
- Audit for Miners: Run
ls -ain your root and home directories. Search for hidden files named.fullgcor.gc. - Check Credentials: If you were running an unpatched version, assume your admin credentials have been reset. Change them immediately after updating.
- Network Hardening: Never expose a task scheduler directly to the internet. Use a VPN or a Zero-Trust Tunnel (like Cloudflare Tunnels) to access your dashboard.
Conclusion: The Lesson of Framework Friction
The Qinglong exploit is a textbook example of how “secure” code can fail when it doesn’t align with the framework it sits on. When your security middleware sees a URL differently than your router does, a bypass is inevitable.
