External risk intelligence

Qinglong Admin Credential Reset Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 9.3)

CVE-2026-55445

Qinglong is typically deployed as an internet-facing task management platform. The vulnerability exists in an API endpoint path that is reachable over the network, allowing unauthenticated attackers to bypass security middleware and reset administrator credentials via a PUT request.

Authentication Bypass

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A critical vulnerability has been identified in the Qinglong task management platform, which could allow unauthenticated attackers to reset administrator credentials. This issue arises from an incomplete check in the platform's middleware, potentially exposing initialized instances to unauthorized access and credential compromise.

  • Unauthenticated attackers can reset admin passwords.
  • Key platform allows unauthorized credential resets.
  • Confirm relevance and assess exposure risks.

Attack Path

How an attacker could exploit the issue

An unauthenticated attacker can exploit this vulnerability by sending a PUT request to a specific API endpoint that is mishandled by the system's security checks. This occurs because the system incorrectly allows access to a user initialization endpoint through a rewritten path, bypassing authentication and authorization. Successful exploitation could allow an attacker to reset administrator credentials.

  • No authentication required.
  • Triggered by PUT request to /open/user/init.
  • Allows administrator credential reset.

Live Threat

Current exploitation, exposure, and threat context

Unauthenticated attackers could reset administrator credentials on an initialized Qinglong instance by sending a PUT request to a specific API endpoint. This bypasses authentication and middleware checks, allowing credential modification when the platform is deployed in certain network configurations.

  • Administrator credentials.
  • Network-accessible API endpoint.
  • Unauthorized administrative control.

Operational Fix

Recommended remediation, mitigation, and detection steps

The Qinglong platform's potential for unauthenticated administrator credential reset points to application owners or platform teams as primary responders, potentially involving vendor management if it's a third-party solution. The first step is to confirm the presence of Qinglong, assess its exposure and criticality, identify the owning team, and then collaboratively plan remediation.

  • Application owners must confirm deployment.
  • Verify network exposure and criticality.
  • Plan remediation based on risk.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is Qinglong?

Qinglong is a software platform designed to manage timed tasks, supporting automation scripts written in languages like Python, JavaScript, Shell, and TypeScript. Users typically deploy it to schedule and execute background operations or recurring automated workflows across their infrastructure.

What is the vulnerability in CVE-2026-55445?

This vulnerability involves Improper Authentication (CWE-287). It occurs because the system's security middleware fails to properly validate requests sent to a specific initialization endpoint. Because the software incorrectly handles path rewriting, it allows an unauthenticated user to access a function intended only for initial setup, granting them the ability to reset administrative credentials.

How can an attacker trigger this credential reset?

An attacker triggers this by sending a specific PUT request to the /open/user/init API path. The flaw exists because the software's security guard checks the standard initialization path but misses this redirected variant. Notably, this does not affect instances that have not yet been initialized, as the logic specifically targets the account management process on systems already in use.

Is my Qinglong instance at risk?

Halo Surface Signal indicates this risk is higher if your Qinglong instance is accessible over the internet, as the vulnerability is reachable via standard network requests. If your platform is hosted behind internal network boundaries or restricted access controls, the opportunity for an unauthorized external actor to reach the vulnerable API endpoint is significantly reduced.

What steps should I take to secure my system?

First, verify if you are running a version of Qinglong prior to 2.20.1, as the fix is included in that release. Coordinate with your platform or application team to assess where the software is deployed and whether it is network-accessible. Once confirmed, prioritize updating to version 2.20.1 or later to apply the necessary middleware security patches.

References