CVE-2026-25060
Unknown Unknown - Not Provided
TLS Certificate Verification Bypass in OpenList Frontend Enables MitM

Publication date: 2026-02-02

Last updated on: 2026-02-23

Assigner: GitHub, Inc.

Description
OpenList Frontend is a UI component for OpenList. Prior to 4.1.10, certificate verification is disabled by default for all storage driver communications. The TlsInsecureSkipVerify setting is default to true in the DefaultConfig() function in internal/conf/config.go. This vulnerability enables Man-in-the-Middle (MitM) attacks by disabling TLS certificate verification, allowing attackers to intercept and manipulate all storage communications. Attackers can exploit this through network-level attacks like ARP spoofing, rogue Wi-Fi access points, or compromised internal network equipment to redirect traffic to malicious endpoints. Since certificate validation is skipped, the system will unknowingly establish encrypted connections with attacker-controlled servers, enabling full decryption, data theft, and manipulation of all storage operations without triggering any security warnings. This vulnerability is fixed in 4.1.10.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-02
Last Modified
2026-02-23
Generated
2026-06-16
AI Q&A
2026-02-03
EPSS Evaluated
2026-06-15
NVD
CVE-2026-25060
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
oplist openlist to 4.1.10 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-599 The product uses OpenSSL and trusts or uses a certificate without using the SSL_get_verify_result() function to ensure that the certificate satisfies all necessary security requirements.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in OpenList Frontend versions prior to 4.1.10, where TLS certificate verification is disabled by default for all storage driver communications. Because the TlsInsecureSkipVerify setting is true by default, the system does not verify the authenticity of TLS certificates, allowing attackers to perform Man-in-the-Middle (MitM) attacks. Attackers can intercept and manipulate storage communications by redirecting traffic through methods like ARP spoofing, rogue Wi-Fi access points, or compromised network equipment. This enables attackers to decrypt, steal, and alter data without triggering security warnings.

Impact Analysis

This vulnerability can lead to severe security impacts including data theft, data manipulation, and unauthorized access to sensitive storage communications. Attackers can intercept encrypted traffic, decrypt it, and alter storage operations, potentially compromising the integrity, confidentiality, and availability of your data and systems.

Mitigation Strategies

Upgrade OpenList Frontend to version 4.1.10 or later, where the TLS certificate verification is enabled by default, fixing the vulnerability. Until the upgrade, avoid using versions prior to 4.1.10 in environments where network-level attacks like ARP spoofing or rogue Wi-Fi access points are possible.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-25060. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart