CVE-2026-25060

Name of the Vulnerable Software and Affected Versions OpenList versions prior to 4.1.10

Description The OpenList application disables TLS certificate verification by default for all outgoing storage driver communications, creating a risk of Man-in-the-Middle (MitM) attacks. This allows attackers to intercept and manipulate all storage communications, potentially leading to the decryption, theft, and manipulation of data. Attackers can leverage network-level attacks, such as ARP spoofing or compromised network equipment, to redirect traffic to malicious endpoints. The TlsInsecureSkipVerify setting is set to true by default in the DefaultConfig() function. This enables attackers to establish encrypted connections with attacker-controlled servers, allowing full decryption and manipulation of storage operations without security warnings. A proof-of-concept demonstrated successful interception of authentication cookies by redirecting traffic to a malicious HTTPS server.

Recommendations Versions prior to 4.1.10: Upgrade to version 4.1.10 or later to enable certificate verification and mitigate the risk of MitM attacks.