๐Ÿ” CVE Alert

CVE-2026-55445

UNKNOWN 0.0

Qinglong: Incomplete fix for CVE-2026-3965: Improper Authentication

CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th

Qinglong is a timed task management platform supporting Python3, JavaScript, Shell, and Typescript. Prior to 2.20.1, the init guard middleware in back/loaders/express.ts checks /api/user/init but not /open/user/init, while rewrite('/open/*', '/api/$1') rewrites the whitelisted /open/* path after JWT authentication and the guard have passed; an unauthenticated attacker can send PUT /open/user/init to reset administrator credentials on an initialized instance. This issue is fixed in 2.20.1.

CWE CWE-287
Vendor whyour
Product qinglong
Published Jul 15, 2026
Stay Ahead of the Next One

Get instant alerts for whyour qinglong

Be the first to know when new unknown vulnerabilities affecting whyour qinglong are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

Affected Versions

whyour / qinglong
< 2.20.1

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/whyour/qinglong/security/advisories/GHSA-v667-gc2r-2xm7 github.com: https://github.com/whyour/qinglong/pull/2941 github.com: https://github.com/whyour/qinglong/commit/6bec52dca158481258315ba0fc2f11206df7b719