{"id":"CVE-2026-55445","summary":"Qinglong: Incomplete fix for CVE-2026-3965: Improper Authentication","details":"Qinglong is a timed task management platform supporting Python3, JavaScript, Shell, and Typescript. Prior to 2.20.1, the init guard middleware in back/loaders/express.ts checks /api/user/init but not /open/user/init, while rewrite('/open/*', '/api/$1') rewrites the whitelisted /open/* path after JWT authentication and the guard have passed; an unauthenticated attacker can send PUT /open/user/init to reset administrator credentials on an initialized instance. This issue is fixed in 2.20.1.","aliases":["GHSA-v667-gc2r-2xm7"],"modified":"2026-07-19T03:30:48.169390848Z","published":"2026-07-15T21:20:01.430Z","database_specific":{"cna_assigner":"GitHub_M","cwe_ids":["CWE-287"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/55xxx/CVE-2026-55445.json"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/55xxx/CVE-2026-55445.json"},{"type":"ADVISORY","url":"https://github.com/whyour/qinglong/security/advisories/GHSA-v667-gc2r-2xm7"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-55445"},{"type":"FIX","url":"https://github.com/whyour/qinglong/commit/6bec52dca158481258315ba0fc2f11206df7b719"},{"type":"FIX","url":"https://github.com/whyour/qinglong/pull/2941"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/whyour/qinglong","events":[{"introduced":"0"},{"fixed":"6bec52dca158481258315ba0fc2f11206df7b719"}],"database_specific":{"extracted_events":[{"introduced":"0"},{"fixed":"2.20.1"}],"source":["AFFECTED_FIELD","REFERENCES"]}}],"versions":["v2.20.0","v2.19.2","v2.19.1","v2.19.0","v2.18.3","v2.18.2","v2.18.1","v2.18.0","v2.17.13","v2.17.12","v2.17.11","v2.17.10","v2.17.9","v2.17.8","v2.17.7","v2.17.6","v2.17.5","v2.17.4","v2.17.3","v2.17.2","v2.17.1","v2.16.5","v2.16.4","v2.16.3","v2.16.2","v2.16.1","v2.16.0","v2.15.20","v2.15.19","v2.15.18","v2.15.17","v2.15.16","v2.15.15","v2.15.14","v2.15.13","v2.15.12","v2.15.11","v2.15.10","v2.15.9","v2.15.8","v2.15.7","v2.15.6","v2.15.5","v2.15.4","v2.15.3","v2.15.2","v2.15.1","v2.15.0","v2.14.12","v2.14.11","v2.14.10","v2.14.9","v2.14.8","v2.14.7","v2.14.6","v2.14.5","v2.14.4","v2.14.3","v2.14.2","v2.14.1","v2.14.0","v2.13.9","v2.13.8","v2.13.7","v2.13.6","v2.2.0","v1.2.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-55445.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"}]}