Description
Alist is a file list program that supports multiple storages, powered by Gin and Solidjs. Prior to version 3.57.0, the application disables TLS certificate verification by default for all outgoing storage driver communications, making the system vulnerable to Man-in-the-Middle (MitM) attacks. This enables the complete decryption, theft, and manipulation of all data transmitted during storage operations, severely compromising the confidentiality and integrity of user data. This issue has been patched in version 3.57.0.
Published: 2026-02-04
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Man‑in‑the‑Middle attacks compromising confidentiality and integrity of data stored via external drivers
Action: Immediate Patch
AI Analysis

Impact

Alist disables TLS certificate verification for all outgoing storage driver communications before version 3.57.0, which enables attackers to perform Man‑in‑the‑Middle attacks on those connections. This allows the attacker to decrypt, steal, and manipulate the data transmitted while tunneling to storage backends, thus severely compromising confidentiality and integrity of stored user data.

Affected Systems

The vulnerable software is Alist, a file listing application built with Gin and Solidjs, provided by the vendor AlistGo. Any deployment running a version older than 3.57.0 is affected.

Risk and Exploitability

The CVSS score of 9.1 indicates a high severity, and the EPSS score of less than 1% suggests a very low but non‑zero probability that exploitation will occur. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is a network attacker capable of intercepting outbound TLS connections from the Alist instance to its configured storage backends – for example, by compromising an internal network segment or the cloud environment the service operates in. Since TLS certificate verification is turned off by default, the attacker can present a forged certificate and the application will accept it, enabling full MITM without any additional attacker privileges within the Alist system.

Generated by OpenCVE AI on April 17, 2026 at 23:18 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor patch to update Alist to version 3.57.0 or later.
  • Ensure that TLS certificate verification is enabled for all storage driver communications; if the application allows a configuration switch, enable it for outbound connections.
  • Continuously monitor outbound TLS traffic from Alist to detect unexpected or untrusted connections that could indicate a MitM attempt.

Generated by OpenCVE AI on April 17, 2026 at 23:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-8jmm-3xwx-w974 Alist has Insecure TLS Config
History

Fri, 13 Feb 2026 21:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:alistgo:alist:*:*:*:*:*:*:*:*

Thu, 05 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 05 Feb 2026 11:45:00 +0000

Type Values Removed Values Added
First Time appeared Alistgo
Alistgo alist
Vendors & Products Alistgo
Alistgo alist

Wed, 04 Feb 2026 20:00:00 +0000

Type Values Removed Values Added
Description Alist is a file list program that supports multiple storages, powered by Gin and Solidjs. Prior to version 3.57.0, the application disables TLS certificate verification by default for all outgoing storage driver communications, making the system vulnerable to Man-in-the-Middle (MitM) attacks. This enables the complete decryption, theft, and manipulation of all data transmitted during storage operations, severely compromising the confidentiality and integrity of user data. This issue has been patched in version 3.57.0.
Title Alist has Insecure TLS Config
Weaknesses CWE-295
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}

Subscriptions

Alistgo Alist
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-05T14:32:45.537Z

Reserved: 2026-01-29T15:39:11.822Z

Link: CVE-2026-25160

cve-icon Vulnrichment

Updated: 2026-02-05T14:25:31.781Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-04T20:16:06.720

Modified: 2026-02-13T21:23:28.700

Link: CVE-2026-25160

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T23:30:15Z

Weaknesses