Qinglong is a timed task management platform supporting Python3, JavaScript, Shell, and Typescript. Prior to 2.20.1, the init guard middleware in back/loaders/express.ts checks /api/user/init but not /open/user/init, while rewrite('/open/*', '/api/$1') rewrites the whitelisted /open/* path after JWT authentication and the guard have passed; an unauthenticated attacker can send PUT /open/user/init to reset administrator credentials on an initialized instance. This issue is fixed in 2.20.1.
Project Subscriptions
No data.
Advisories
No advisories yet.
Fixes
Solution
No solution given by the vendor.
Workaround
No workaround given by the vendor.
References
History
Wed, 15 Jul 2026 23:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Whyour
Whyour qinglong |
|
| Vendors & Products |
Whyour
Whyour qinglong |
Wed, 15 Jul 2026 21:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Qinglong is a timed task management platform supporting Python3, JavaScript, Shell, and Typescript. Prior to 2.20.1, the init guard middleware in back/loaders/express.ts checks /api/user/init but not /open/user/init, while rewrite('/open/*', '/api/$1') rewrites the whitelisted /open/* path after JWT authentication and the guard have passed; an unauthenticated attacker can send PUT /open/user/init to reset administrator credentials on an initialized instance. This issue is fixed in 2.20.1. | |
| Title | Qinglong: Incomplete fix for CVE-2026-3965: Improper Authentication | |
| Weaknesses | CWE-287 | |
| References |
| |
| Metrics |
cvssV4_0
|
Projects
Sign in to view the affected projects.
Status: PUBLISHED
Assigner: GitHub_M
Published:
Updated: 2026-07-15T21:20:01.430Z
Reserved: 2026-06-16T21:59:57.018Z
Link: CVE-2026-55445
No data.
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-15T23:15:15Z
Weaknesses