Auth bypass in Whyour Qinglong

CVE-2026-55445

Qinglong is a timed task management platform supporting Python3, JavaScript, Shell, and Typescript. Prior to 2.20.1, the init guard middleware in back/loaders/express.ts checks /api/user/init but not /open/user/init, while rewrite('/open/*…

Vulnerability class: Broken Authentication

Affected products

Weakness classification (CWE)

References