CVE-2026-55445 in Qinglong
Summary
by MITRE • 07/16/2026
Qinglong is a timed task management platform supporting Python3, JavaScript, Shell, and Typescript. Prior to 2.20.1, the init guard middleware in back/loaders/express.ts checks /api/user/init but not /open/user/init, while rewrite('/open/*', '/api/$1') rewrites the whitelisted /open/* path after JWT authentication and the guard have passed; an unauthenticated attacker can send PUT /open/user/init to reset administrator credentials on an initialized instance. This issue is fixed in 2.20.1.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 07/16/2026
The Qinglong timed task management platform presents a critical authentication bypass vulnerability that stems from inconsistent middleware validation logic within its express.js backend implementation. This flaw exists in versions prior to 2.20.1 and specifically affects the initialization guard middleware located in back/loaders/express.ts. The vulnerability arises from the asymmetric handling of API endpoints where the init guard middleware properly validates authentication for /api/user/init but fails to apply the same validation to the corresponding /open/user/init endpoint. This inconsistency creates a direct attack vector that allows unauthenticated attackers to exploit the system's rewrite functionality.
The technical exploitation occurs through the application's URL rewriting mechanism which is configured with rewrite('/open/', '/api/$1') pattern. This configuration effectively maps all /open/ paths to their corresponding /api/* equivalents after successful JWT authentication and guard validation have been completed. However, the critical flaw lies in the fact that the middleware validation only occurs for the original API path but not for the rewritten open path. When an attacker sends a PUT request to /open/user/init, the system processes this through the rewrite mechanism and successfully passes both JWT authentication and the guard validation, despite the initial request being unauthenticated.
The operational impact of this vulnerability is severe as it directly enables credential reset functionality for administrator accounts on initialized Qinglong instances. This means that an attacker with network access to the platform can completely compromise administrative privileges without requiring any valid credentials or authentication tokens. The vulnerability effectively provides a backdoor for privilege escalation attacks that bypass the entire authentication system, potentially leading to full system compromise and persistent access.
This vulnerability aligns with CWE-285, which addresses improper authorization issues in software systems, and demonstrates a classic case of insufficient validation of access control mechanisms. From an ATT&CK perspective, this represents a privilege escalation technique categorized under T1078 Valid Accounts and T1566 Phishing, as it allows attackers to assume administrative roles without proper authentication. The exploitation path also relates to T1210 Exploitation of Remote Services through the manipulation of API endpoints that should be protected.
The mitigation strategy requires implementing consistent middleware validation across all endpoint paths that are subject to rewrite operations. The fix in version 2.20.1 addresses this by ensuring that both /api/user/init and /open/user/init undergo identical authentication and authorization checks before allowing credential reset operations. Organizations should also implement proper input validation for all API endpoints, ensure consistent access control policies across rewritten paths, and regularly audit middleware configurations to prevent similar issues in other components. Additionally, implementing rate limiting and monitoring for initialization endpoint access can help detect and prevent abuse of this vulnerability during exploitation attempts.