CVE-2026-3965: Whyour Qinglong RCE Vulnerability

CVE-2026-3965 Overview

A security vulnerability has been detected in whyour qinglong up to version 2.20.1. The vulnerability affects the file back/loaders/express.ts within the API Interface component. The manipulation of the argument command leads to protection mechanism failure, enabling an authentication bypass that allows unauthorized users to reset credentials on initialized systems. The attack may be initiated remotely, and the exploit has been disclosed publicly.

Critical Impact

Remote attackers can bypass authentication protections via the /open/user/init endpoint to reset credentials on already initialized Qinglong systems, potentially gaining full administrative access.

Affected Products

• whyour qinglong versions up to 2.20.1

Discovery Timeline

• March 12, 2026 - CVE-2026-3965 published to NVD
• March 12, 2026 - Last updated in NVD database

Technical Details for CVE-2026-3965

Vulnerability Analysis

This vulnerability is classified under CWE-693 (Protection Mechanism Failure). The root issue lies in an incomplete path validation within the Express.js middleware in the Qinglong scheduling panel. The authentication middleware was designed to allow unauthenticated access to initialization endpoints (/api/user/init and /api/user/notification/init) to enable first-time setup. However, the middleware failed to account for alternative path prefixes, specifically the /open/ prefix.

Attackers can exploit this oversight to access user initialization functionality through the /open/user/init endpoint, bypassing the intended authentication checks. This allows credential reset operations on systems that have already been initialized, effectively compromising the administrative account.

Root Cause

The vulnerability stems from an incomplete allowlist implementation in the Express.js middleware. The original code only checked for /api/user/init and /api/user/notification/init paths when determining whether to allow unauthenticated access. The middleware used toLowerCase() for path comparison but failed to include the /open/ prefix variants in the allowlist, creating an authentication bypass vector.

Attack Vector

This vulnerability is exploitable over the network by unauthenticated or low-privileged attackers. The attack requires no user interaction and has low attack complexity. An attacker can send specially crafted HTTP requests to the /open/user/init endpoint to trigger the credential reset functionality on an already initialized Qinglong instance. This could allow complete takeover of the scheduling panel.

// Security patch from back/loaders/express.ts
// Source: https://github.com/whyour/qinglong/commit/6bec52dca158481258315ba0fc2f11206df7b719

 
   app.use(async (req, res, next) => {
     const pathLower = req.path.toLowerCase();
-    if (!['/api/user/init', '/api/user/notification/init'].includes(pathLower)) {
+    if (
+      ![
+        '/api/user/init',
+        '/api/user/notification/init',
+        '/open/user/init',
+        '/open/user/notification/init',
+      ].includes(req.path)
+    ) {
       return next();
     }
     const authInfo =

Detection Methods for CVE-2026-3965

Indicators of Compromise

• Unexpected HTTP requests to /open/user/init or /open/user/notification/init endpoints
• Unauthorized credential reset events in application logs
• Administrative account access from unknown IP addresses following initialization endpoint access
• Anomalous authentication patterns or unexpected password reset activity

Detection Strategies

• Monitor web server access logs for requests to /open/user/init and /open/user/notification/init paths
• Implement intrusion detection rules to alert on initialization endpoint access from external networks
• Review authentication logs for credential changes that were not initiated by known administrators
• Deploy web application firewall (WAF) rules to block unauthorized access to initialization endpoints

Monitoring Recommendations

• Enable detailed logging for all authentication-related endpoints in the Qinglong panel
• Set up alerting for any access attempts to user initialization endpoints after initial system setup
• Monitor for unusual traffic patterns targeting the /open/ API prefix
• Correlate network logs with application authentication events to detect bypass attempts

How to Mitigate CVE-2026-3965

Immediate Actions Required

• Upgrade Qinglong to version 2.20.2 or later immediately
• Review access logs for any evidence of exploitation via the /open/user/init endpoint
• Reset administrative credentials if unauthorized access is suspected
• Implement network-level access controls to restrict API access to trusted sources

Patch Information

The vulnerability has been addressed in Qinglong version 2.20.2. The fix is available via GitHub Release v2.20.2. The security patch is identified by commit hash 6bec52dca158481258315ba0fc2f11206df7b719, which adds the /open/user/init and /open/user/notification/init paths to the authentication bypass allowlist check, ensuring these endpoints also require proper initialization state validation. Additional details are available in GitHub Pull Request #2941.

Workarounds

• Implement reverse proxy rules to block access to /open/user/init and /open/user/notification/init endpoints
• Restrict network access to the Qinglong panel to trusted IP addresses only
• Deploy a web application firewall with rules to filter requests to initialization endpoints
• Monitor and alert on any access attempts to these sensitive endpoints until patching is complete

# Example nginx configuration to block vulnerable endpoints
location ~ ^/open/user/(init|notification/init)$ {
    deny all;
    return 403;
}