CVE-2026-25060

HIGH

OpenList Frontend <4.1.10 - Info Disclosure

Title source: llm

Description

OpenList Frontend is a UI component for OpenList. Prior to 4.1.10, certificate verification is disabled by default for all storage driver communications. The TlsInsecureSkipVerify setting is default to true in the DefaultConfig() function in internal/conf/config.go. This vulnerability enables Man-in-the-Middle (MitM) attacks by disabling TLS certificate verification, allowing attackers to intercept and manipulate all storage communications. Attackers can exploit this through network-level attacks like ARP spoofing, rogue Wi-Fi access points, or compromised internal network equipment to redirect traffic to malicious endpoints. Since certificate validation is skipped, the system will unknowingly establish encrypted connections with attacker-controlled servers, enabling full decryption, data theft, and manipulation of all storage operations without triggering any security warnings. This vulnerability is fixed in 4.1.10.

References (3)

Core 3

Core References

Vendor Advisory x_refsource_confirm

https://github.com/OpenListTeam/OpenList/security/advisories/GHSA-wf93-3ghh-h389

Patch x_refsource_misc

https://github.com/OpenListTeam/OpenList/commit/e3c664f81d0584fbbdb86ffe6644be16259371c1

View Patch ZIP pw:eip

Release Notes x_refsource_misc

https://github.com/OpenListTeam/OpenList/releases/tag/v4.1.10

Scores

CVSS v3 8.1

EPSS 0.0001

EPSS Percentile 1.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-599

Status published

Products (2)

OpenListTeam/OpenList 0 - 4.1.10Go

oplist/openlist < 4.1.10

Published Feb 02, 2026

Tracked Since Feb 18, 2026