Skip to main content

Qinglong CVE-2026-55445

CRITICAL
Improper Authentication (CWE-287)
2026-07-15 GitHub_M
9.3
CVSS 4.0 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
9.3 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
9.1 CRITICAL

Single unauthenticated remote request (AV:N/AC:L/PR:N/UI:N) resets admin credentials granting full read/write control (C:H/I:H); no direct availability destruction primitive, so A:N, consistent with the vendor's VA:N.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
Source Code Evidence Fetched
Jul 15, 2026 - 22:05 vuln.today
Analysis Generated
Jul 15, 2026 - 22:05 vuln.today
CVE Published
Jul 15, 2026 - 21:20 cve.org
CRITICAL 9.3

DescriptionCVE.org

Qinglong is a timed task management platform supporting Python3, JavaScript, Shell, and Typescript. Prior to 2.20.1, the init guard middleware in back/loaders/express.ts checks /api/user/init but not /open/user/init, while rewrite('/open/*', '/api/$1') rewrites the whitelisted /open/* path after JWT authentication and the guard have passed; an unauthenticated attacker can send PUT /open/user/init to reset administrator credentials on an initialized instance. This issue is fixed in 2.20.1.

AnalysisAI

Authentication bypass in Qinglong (whyour/qinglong) task-management platform before 2.20.1 lets an unauthenticated remote attacker reset administrator credentials on an already-initialized instance by sending PUT /open/user/init. The flaw stems from a path-rewrite ordering mistake: the init-guard middleware whitelists /open/* through JWT auth, then rewrites it to /api/user/init after the guard's initialization check has already been bypassed. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Locate internet-exposed Qinglong panel
Delivery
Send unauthenticated PUT /open/user/init
Exploit
Path whitelisted, bypasses init guard
Execution
Rewrite to /api/user/init resets admin credentials
Persist
Log in as administrator
Impact
Schedule malicious task for host code execution

Vulnerability AssessmentAI

Exploitation The target Qinglong instance must be running a version prior to 2.20.1, be network-reachable by the attacker, and - critically - already be initialized (past first-run setup), because the attack abuses the init guard on an instance that should no longer accept initialization. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment This is a genuine high-priority issue, not a high-CVSS-but-low-real-risk artifact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker scans for internet-exposed Qinglong panels and, against an already-initialized instance, sends a single unauthenticated PUT request to /open/user/init with attacker-chosen credentials; the request is JWT-whitelisted as an /open/* path, passes the init guard because the guard only checks /api/user/init, and is then rewritten to /api/user/init and executed, resetting the admin username and password. The attacker logs in as administrator and, because Qinglong runs arbitrary Python/JS/Shell/TypeScript tasks, schedules a malicious task to gain code execution on the host. …
Remediation Vendor-released patch: 2.20.1 - upgrade all Qinglong instances to 2.20.1 or later, which extends the init-guard whitelist check to include '/open/user/init' and '/open/user/notification/init' and evaluates it against req.path so the rewritten open-API paths are also blocked on initialized instances (see PR #2941 and advisory GHSA-v667-gc2r-2xm7). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: identify all Qinglong instances across your infrastructure and determine which versions are deployed; immediately implement network-layer protections such as WAF rules, IP allowlists, or reverse-proxy authentication for the /open/user/init endpoint to restrict access; isolate internet-facing instances if feasible pending mitigation. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-55445 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy