{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25060", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-28T14:50:47.889Z", "datePublished": "2026-02-02T22:26:42.421Z", "dateUpdated": "2026-02-04T16:53:31.990Z"}, "containers": {"cna": {"title": "OpenList Insecure TLS Default Configuration", "problemTypes": [{"descriptions": [{"cweId": "CWE-599", "lang": "en", "description": "CWE-599: Missing Validation of OpenSSL Certificate", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/OpenListTeam/OpenList/security/advisories/GHSA-wf93-3ghh-h389", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/OpenListTeam/OpenList/security/advisories/GHSA-wf93-3ghh-h389"}, {"name": "https://github.com/OpenListTeam/OpenList/commit/e3c664f81d0584fbbdb86ffe6644be16259371c1", "tags": ["x_refsource_MISC"], "url": "https://github.com/OpenListTeam/OpenList/commit/e3c664f81d0584fbbdb86ffe6644be16259371c1"}, {"name": "https://github.com/OpenListTeam/OpenList/releases/tag/v4.1.10", "tags": ["x_refsource_MISC"], "url": "https://github.com/OpenListTeam/OpenList/releases/tag/v4.1.10"}], "affected": [{"vendor": "OpenListTeam", "product": "OpenList", "versions": [{"version": "< 4.1.10", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-02T22:26:42.421Z"}, "descriptions": [{"lang": "en", "value": "OpenList Frontend is a UI component for OpenList. Prior to 4.1.10, certificate verification is disabled by default for all storage driver communications. The TlsInsecureSkipVerify setting is default to true in the DefaultConfig() function in internal/conf/config.go. This vulnerability enables Man-in-the-Middle (MitM) attacks by disabling TLS certificate verification, allowing attackers to intercept and manipulate all storage communications. Attackers can exploit this through network-level attacks like ARP spoofing, rogue Wi-Fi access points, or compromised internal network equipment to redirect traffic to malicious endpoints. Since certificate validation is skipped, the system will unknowingly establish encrypted connections with attacker-controlled servers, enabling full decryption, data theft, and manipulation of all storage operations without triggering any security warnings. This vulnerability is fixed in 4.1.10."}], "source": {"advisory": "GHSA-wf93-3ghh-h389", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-04T15:54:28.374017Z", "id": "CVE-2026-25060", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-04T16:53:31.990Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25060", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-04T15:54:28.374017Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-04T15:54:29.169Z"}}], "cna": {"title": "OpenList Insecure TLS Default Configuration", "source": {"advisory": "GHSA-wf93-3ghh-h389", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "OpenListTeam", "product": "OpenList", "versions": [{"status": "affected", "version": "< 4.1.10"}]}], "references": [{"url": "https://github.com/OpenListTeam/OpenList/security/advisories/GHSA-wf93-3ghh-h389", "name": "https://github.com/OpenListTeam/OpenList/security/advisories/GHSA-wf93-3ghh-h389", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/OpenListTeam/OpenList/commit/e3c664f81d0584fbbdb86ffe6644be16259371c1", "name": "https://github.com/OpenListTeam/OpenList/commit/e3c664f81d0584fbbdb86ffe6644be16259371c1", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/OpenListTeam/OpenList/releases/tag/v4.1.10", "name": "https://github.com/OpenListTeam/OpenList/releases/tag/v4.1.10", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "OpenList Frontend is a UI component for OpenList. Prior to 4.1.10, certificate verification is disabled by default for all storage driver communications. The TlsInsecureSkipVerify setting is default to true in the DefaultConfig() function in internal/conf/config.go. This vulnerability enables Man-in-the-Middle (MitM) attacks by disabling TLS certificate verification, allowing attackers to intercept and manipulate all storage communications. Attackers can exploit this through network-level attacks like ARP spoofing, rogue Wi-Fi access points, or compromised internal network equipment to redirect traffic to malicious endpoints. Since certificate validation is skipped, the system will unknowingly establish encrypted connections with attacker-controlled servers, enabling full decryption, data theft, and manipulation of all storage operations without triggering any security warnings. This vulnerability is fixed in 4.1.10."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-599", "description": "CWE-599: Missing Validation of OpenSSL Certificate"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-02T22:26:42.421Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25060", "state": "PUBLISHED", "dateUpdated": "2026-02-04T16:53:31.990Z", "dateReserved": "2026-01-28T14:50:47.889Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-02T22:26:42.421Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:oplist:openlist:*:*:*:*:*:*:*:*", "matchCriteriaId": "8A540671-DE84-45FD-A087-21A565765CF4", "versionEndExcluding": "4.1.10", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "OpenList Frontend is a UI component for OpenList. Prior to 4.1.10, certificate verification is disabled by default for all storage driver communications. The TlsInsecureSkipVerify setting is default to true in the DefaultConfig() function in internal/conf/config.go. This vulnerability enables Man-in-the-Middle (MitM) attacks by disabling TLS certificate verification, allowing attackers to intercept and manipulate all storage communications. Attackers can exploit this through network-level attacks like ARP spoofing, rogue Wi-Fi access points, or compromised internal network equipment to redirect traffic to malicious endpoints. Since certificate validation is skipped, the system will unknowingly establish encrypted connections with attacker-controlled servers, enabling full decryption, data theft, and manipulation of all storage operations without triggering any security warnings. This vulnerability is fixed in 4.1.10."}, {"lang": "es", "value": "OpenList Frontend es un componente de interfaz de usuario para OpenList. Antes de la versi\u00f3n 4.1.10, la verificaci\u00f3n de certificados est\u00e1 deshabilitada por defecto para todas las comunicaciones del controlador de almacenamiento. La configuraci\u00f3n TlsInsecureSkipVerify est\u00e1 establecida en true por defecto en la funci\u00f3n DefaultConfig() en internal/conf/config.go. Esta vulnerabilidad permite ataques de man-in-the-middle (MitM) al deshabilitar la verificaci\u00f3n de certificados TLS, lo que permite a los atacantes interceptar y manipular todas las comunicaciones de almacenamiento. Los atacantes pueden explotar esto a trav\u00e9s de ataques a nivel de red como suplantaci\u00f3n de ARP, puntos de acceso Wi-Fi no autorizados o equipos de red internos comprometidos para redirigir el tr\u00e1fico a puntos finales maliciosos. Dado que la validaci\u00f3n de certificados se omite, el sistema establecer\u00e1 conexiones cifradas sin saberlo con servidores controlados por el atacante, lo que permite el descifrado completo, el robo de datos y la manipulaci\u00f3n de todas las operaciones de almacenamiento sin activar ninguna advertencia de seguridad. Esta vulnerabilidad se corrige en la versi\u00f3n 4.1.10."}], "id": "CVE-2026-25060", "lastModified": "2026-02-23T17:35:00.207", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-02T23:16:08.913", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/OpenListTeam/OpenList/commit/e3c664f81d0584fbbdb86ffe6644be16259371c1"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/OpenListTeam/OpenList/releases/tag/v4.1.10"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/OpenListTeam/OpenList/security/advisories/GHSA-wf93-3ghh-h389"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-599"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T00:30:14.569613+00:00", "value": {"mitigation_remediation": ["Apply the OpenList patch to upgrade to version 4.1.10 or later", "Reconfigure the TlsInsecureSkipVerify flag to false if a patch cannot be applied immediately", "Monitor network traffic for signs of ARP spoofing, rogue Wi\u2011Fi access points, or unexpected TLS connections"], "summary": {"action": "Immediate Patch", "impact": "Man\u2011in\u2011the\u2011Middle via disabled TLS verification"}, "threat_synthesis": {"affected_systems": "OpenListTeam OpenList version 4.1.9 and earlier are affected, specifically any deployment using the default configuration that leaves TlsInsecureSkipVerify set to true. The vulnerability applies to all environments where the frontend communicates with storage drivers over TLS, such as internal networks, Wi\u2011Fi hotspots, or compromised network devices.", "description_and_impact": "OpenList Frontend contains a default configuration that disables TLS certificate verification for all storage driver traffic prior to version 4.1.10. This flaw, a case of CWE\u2011599, lets an attacker launch a man\u2011in\u2011the\u2011middle attack by redirecting traffic through a malicious endpoint. With verification turned off, the application accepts any TLS certificate, allowing full decryption, data theft, and manipulation of storage operations while evading normal security alerts.", "risk_and_exploitability": "With a CVSS score of 8.1, the vulnerability ranks as high severity. The low EPSS indicates exploit probability is currently small, and the issue is not yet cataloged in KEV, suggesting limited public exploitation. However, once an attacker can manipulate network paths, the lack of certificate validation makes it trivial for an adversary to forge certificates and control traffic between the OpenList instance and its storage backends."}}}}, "created": "2026-02-04T12:17:56.225214+00:00", "updated": "2026-04-18T00:30:25.720417+00:00", "vendors": ["openlistteam", "openlistteam$PRODUCT$openlist"]}