GoKawiilHackers are exploiting two authentication bypass vulnerabilities in the Qinglong open-source task scheduling tool to deploy cryptominers on developers' servers.
Exploitation started in early February, before the security issues were disclosed publicly at the end of the month, according to researchers at cloud-native application security company Snyk.
Qinglong is a self-hosted open-source time management platform popular among Chinese developers. It has been forked more than 3,200 times and has over 19,000 stars on GitHub.
The two security problems impact Qinglong versions 2.20.1 and older and can be chained to achieve remote code execution:
CVE-2026-3965: A misconfigured rewrite rule maps ‘/open/*’ requests to ‘/api/*’, unintentionally exposing protected admin endpoints through an unauthenticated path
CVE-2026-4047: The authentication check treats paths as case-sensitive (/api/), while the router matches them case-insensitively, allowing requests like ‘/aPi/...’ to bypass authentication and reach protected endpoints.
The root cause in both flaws is a mismatch between middleware authorization logic and Express.js routing behavior.
“Both vulnerabilities stem from a mismatch between the security middleware's assumptions and the framework's behavior,” Snyk researchers explain.
“The auth layer assumed certain URL patterns would always be handled one way, while Express.js treated them differently.”
Snyk reports that attackers have been targeting these two flaws on publicly exposed Qinglong panels to deploy cryptominers since February 7.
... continue reading