Qinglong
Monthly
Authentication bypass in Qinglong (whyour/qinglong) task-management platform before 2.20.1 lets an unauthenticated remote attacker reset administrator credentials on an already-initialized instance by sending PUT /open/user/init. The flaw stems from a path-rewrite ordering mistake: the init-guard middleware whitelists /open/* through JWT auth, then rewrites it to /api/user/init after the guard's initialization check has already been bypassed. No public exploit identified at time of analysis, but the fixing PR diff publicly discloses the exact bypass, making weaponization trivial; CVSS 4.0 base score is 9.3 (Critical).
Authentication bypass in Qinglong (whyour/qinglong) task-management platform before 2.20.1 lets an unauthenticated remote attacker reset administrator credentials on an already-initialized instance by sending PUT /open/user/init. The flaw stems from a path-rewrite ordering mistake: the init-guard middleware whitelists /open/* through JWT auth, then rewrites it to /api/user/init after the guard's initialization check has already been bypassed. No public exploit identified at time of analysis, but the fixing PR diff publicly discloses the exact bypass, making weaponization trivial; CVSS 4.0 base score is 9.3 (Critical).