CVE-2026-25060

8.1 HIGH

📋 TL;DR

OpenList Frontend versions before 4.1.10 have TLS certificate verification disabled by default for storage communications, allowing Man-in-the-Middle attacks. Attackers can intercept and manipulate all storage operations, potentially leading to data theft or corruption. All users running vulnerable versions are affected.

💻 Affected Systems

Products:
  • OpenList Frontend
Versions: All versions prior to 4.1.10
Operating Systems: All platforms running OpenList Frontend
Default Config Vulnerable: ⚠️ Yes
Notes: The vulnerability exists in the default configuration where TlsInsecureSkipVerify is set to true.

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of all storage communications, enabling attackers to steal sensitive data, inject malicious content, or corrupt storage operations without detection.

🟠

Likely Case

Data interception and manipulation in environments with network-level vulnerabilities, leading to data breaches or service disruption.

🟢

If Mitigated

Limited impact if network segmentation and monitoring prevent MitM attacks, though the vulnerability remains present.

🌐 Internet-Facing: HIGH - Internet-facing instances are directly exposed to MitM attacks from external networks.
🏢 Internal Only: MEDIUM - Internal systems are vulnerable to compromised network equipment or insider threats, but require network access.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires network-level access but no authentication to the OpenList system itself. Standard MitM techniques like ARP spoofing or rogue access points can be used.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.1.10

Vendor Advisory: https://github.com/OpenListTeam/OpenList/security/advisories/GHSA-wf93-3ghh-h389

Restart Required: Yes

Instructions:

1. Download OpenList Frontend version 4.1.10 or later from the official repository. 2. Replace the existing installation with the patched version. 3. Restart the OpenList Frontend service to apply changes.

🔧 Temporary Workarounds

Enable TLS certificate verification manually

all

Modify the configuration to set TlsInsecureSkipVerify to false, forcing certificate validation for storage communications.

Edit the configuration file (typically config.yaml or similar) and set: TlsInsecureSkipVerify: false
Restart the OpenList Frontend service

🧯 If You Can't Patch

  • Implement strict network segmentation to isolate OpenList Frontend from untrusted networks.
  • Deploy network monitoring and intrusion detection systems to detect MitM attempts.

🔍 How to Verify

Check if Vulnerable:

Check the OpenList Frontend version; if it's below 4.1.10, it is vulnerable. Also verify the configuration file for TlsInsecureSkipVerify: true.

Check Version:

Run the OpenList Frontend binary with a version flag, e.g., ./openlist-frontend --version

Verify Fix Applied:

Confirm the version is 4.1.10 or higher and that TlsInsecureSkipVerify is set to false in the configuration.

📡 Detection & Monitoring

Log Indicators:

  • Unexpected TLS handshake failures or warnings related to certificate validation in OpenList logs.
  • Unusual storage communication patterns or errors.

Network Indicators:

  • Suspicious network traffic redirection (e.g., ARP spoofing alerts) targeting OpenList storage endpoints.
  • Unexpected SSL/TLS certificates presented during storage communications.

SIEM Query:

Example: search for events where source_ip initiates TLS connections to OpenList storage endpoints with certificate validation errors or mismatched certificates.

📊 Metadata

CVE ID: CVE-2026-25060
CVSS v3 Score: 8.1 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-599
Published: February 2, 2026
Last Updated: February 4, 2026

🤖 AI-assisted analysis, reviewed for accuracy

🔗 References

📤 Share This