Description
OpenList Frontend is a UI component for OpenList. Prior to 4.1.10, certificate verification is disabled by default for all storage driver communications. The TlsInsecureSkipVerify setting is default to true in the DefaultConfig() function in internal/conf/config.go. This vulnerability enables Man-in-the-Middle (MitM) attacks by disabling TLS certificate verification, allowing attackers to intercept and manipulate all storage communications. Attackers can exploit this through network-level attacks like ARP spoofing, rogue Wi-Fi access points, or compromised internal network equipment to redirect traffic to malicious endpoints. Since certificate validation is skipped, the system will unknowingly establish encrypted connections with attacker-controlled servers, enabling full decryption, data theft, and manipulation of all storage operations without triggering any security warnings. This vulnerability is fixed in 4.1.10.
Published: 2026-02-02
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Man‑in‑the‑Middle via disabled TLS verification
Action: Immediate Patch
AI Analysis

Impact

OpenList Frontend contains a default configuration that disables TLS certificate verification for all storage driver traffic prior to version 4.1.10. This flaw, a case of CWE‑599, lets an attacker launch a man‑in‑the‑middle attack by redirecting traffic through a malicious endpoint. With verification turned off, the application accepts any TLS certificate, allowing full decryption, data theft, and manipulation of storage operations while evading normal security alerts.

Affected Systems

OpenListTeam OpenList version 4.1.9 and earlier are affected, specifically any deployment using the default configuration that leaves TlsInsecureSkipVerify set to true. The vulnerability applies to all environments where the frontend communicates with storage drivers over TLS, such as internal networks, Wi‑Fi hotspots, or compromised network devices.

Risk and Exploitability

With a CVSS score of 8.1, the vulnerability ranks as high severity. The low EPSS indicates exploit probability is currently small, and the issue is not yet cataloged in KEV, suggesting limited public exploitation. However, once an attacker can manipulate network paths, the lack of certificate validation makes it trivial for an adversary to forge certificates and control traffic between the OpenList instance and its storage backends.

Generated by OpenCVE AI on April 18, 2026 at 00:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the OpenList patch to upgrade to version 4.1.10 or later
  • Reconfigure the TlsInsecureSkipVerify flag to false if a patch cannot be applied immediately
  • Monitor network traffic for signs of ARP spoofing, rogue Wi‑Fi access points, or unexpected TLS connections

Generated by OpenCVE AI on April 18, 2026 at 00:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-wf93-3ghh-h389 OpenList has Insecure TLS Default Configuration
History

Mon, 23 Feb 2026 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Oplist
Oplist openlist
CPEs cpe:2.3:a:oplist:openlist:*:*:*:*:*:*:*:*
Vendors & Products Oplist
Oplist openlist

Wed, 04 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 04 Feb 2026 12:30:00 +0000

Type Values Removed Values Added
First Time appeared Openlistteam
Openlistteam openlist
Vendors & Products Openlistteam
Openlistteam openlist

Mon, 02 Feb 2026 23:15:00 +0000

Type Values Removed Values Added
Description OpenList Frontend is a UI component for OpenList. Prior to 4.1.10, certificate verification is disabled by default for all storage driver communications. The TlsInsecureSkipVerify setting is default to true in the DefaultConfig() function in internal/conf/config.go. This vulnerability enables Man-in-the-Middle (MitM) attacks by disabling TLS certificate verification, allowing attackers to intercept and manipulate all storage communications. Attackers can exploit this through network-level attacks like ARP spoofing, rogue Wi-Fi access points, or compromised internal network equipment to redirect traffic to malicious endpoints. Since certificate validation is skipped, the system will unknowingly establish encrypted connections with attacker-controlled servers, enabling full decryption, data theft, and manipulation of all storage operations without triggering any security warnings. This vulnerability is fixed in 4.1.10.
Title OpenList Insecure TLS Default Configuration
Weaknesses CWE-599
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Openlistteam Openlist
Oplist Openlist
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-04T16:53:31.990Z

Reserved: 2026-01-28T14:50:47.889Z

Link: CVE-2026-25060

cve-icon Vulnrichment

Updated: 2026-02-04T15:54:29.169Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-02T23:16:08.913

Modified: 2026-02-23T17:35:00.207

Link: CVE-2026-25060

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T00:30:25Z

Weaknesses