Qinglong
CVE-2026-55445
CRITICAL
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Single unauthenticated remote request (AV:N/AC:L/PR:N/UI:N) resets admin credentials granting full read/write control (C:H/I:H); no direct availability destruction primitive, so A:N, consistent with the vendor's VA:N.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
Qinglong is a timed task management platform supporting Python3, JavaScript, Shell, and Typescript. Prior to 2.20.1, the init guard middleware in back/loaders/express.ts checks /api/user/init but not /open/user/init, while rewrite('/open/*', '/api/$1') rewrites the whitelisted /open/* path after JWT authentication and the guard have passed; an unauthenticated attacker can send PUT /open/user/init to reset administrator credentials on an initialized instance. This issue is fixed in 2.20.1.
AnalysisAI
Authentication bypass in Qinglong (whyour/qinglong) task-management platform before 2.20.1 lets an unauthenticated remote attacker reset administrator credentials on an already-initialized instance by sending PUT /open/user/init. The flaw stems from a path-rewrite ordering mistake: the init-guard middleware whitelists /open/* through JWT auth, then rewrites it to /api/user/init after the guard's initialization check has already been bypassed. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The target Qinglong instance must be running a version prior to 2.20.1, be network-reachable by the attacker, and - critically - already be initialized (past first-run setup), because the attack abuses the init guard on an instance that should no longer accept initialization. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | This is a genuine high-priority issue, not a high-CVSS-but-low-real-risk artifact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker scans for internet-exposed Qinglong panels and, against an already-initialized instance, sends a single unauthenticated PUT request to /open/user/init with attacker-chosen credentials; the request is JWT-whitelisted as an /open/* path, passes the init guard because the guard only checks /api/user/init, and is then rewritten to /api/user/init and executed, resetting the admin username and password. The attacker logs in as administrator and, because Qinglong runs arbitrary Python/JS/Shell/TypeScript tasks, schedules a malicious task to gain code execution on the host. … |
| Remediation | Vendor-released patch: 2.20.1 - upgrade all Qinglong instances to 2.20.1 or later, which extends the init-guard whitelist check to include '/open/user/init' and '/open/user/notification/init' and evaluates it against req.path so the rewritten open-API paths are also blocked on initialized instances (see PR #2941 and advisory GHSA-v667-gc2r-2xm7). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: identify all Qinglong instances across your infrastructure and determine which versions are deployed; immediately implement network-layer protections such as WAF rules, IP allowlists, or reverse-proxy authentication for the /open/user/init endpoint to restrict access; isolate internet-facing instances if feasible pending mitigation. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-287 – Improper Authentication
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today