CVE-2026-25060

High

Published: 02 February 2026

Published

02 February 2026

Modified

23 February 2026

KEV Added

—

Patch

—

CVSS Score 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0001 1.8th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-25060 is a high-severity Missing Validation of OpenSSL Certificate (CWE-599) vulnerability in Oplist Openlist. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Adversary-in-the-Middle (T1557); ranked at the 1.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SC-23 (Session Authenticity).

Threat & Defense at a Glance

What attackers do: exploitation maps to Adversary-in-the-Middle (T1557) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SC-23 Session Authenticity good match

prevent

Protects the authenticity of communications sessions, directly countering MitM attacks by requiring TLS certificate validation for storage driver endpoints.

SC-8 Transmission Confidentiality and Integrity good match

prevent

Requires cryptographic protection of transmission confidentiality and integrity, mitigating interception and manipulation enabled by disabled TLS certificate verification.

CM-6 Configuration Settings good match

prevent

Enforces secure configuration settings like TlsInsecureSkipVerify=false in DefaultConfig, preventing insecure default TLS behavior in OpenList Frontend.

MITRE ATT&CK Enterprise TechniquesAI

T1557 Adversary-in-the-Middle Credential Access

Adversaries may attempt to position themselves between two or more networked devices using an adversary-in-the-middle (AiTM) technique to support follow-on behaviors such as [Network Sniffing](https://attack.

attack.mitre.org →

T1557.002 ARP Cache Poisoning Credential Access

Adversaries may poison Address Resolution Protocol (ARP) caches to position themselves between the communication of two or more networked devices.

attack.mitre.org →

T1557.004 Evil Twin Credential Access

Adversaries may host seemingly genuine Wi-Fi access points to deceive users into connecting to malicious networks as a way of supporting follow-on behaviors such as [Network Sniffing](https://attack.

attack.mitre.org →

Why these techniques?

Disabled TLS certificate validation (TlsInsecureSkipVerify=true) directly enables successful Adversary-in-the-Middle attacks by allowing interception, decryption, and manipulation of storage traffic without certificate warnings or failures; specifically facilitates ARP Cache Poisoning and Evil Twin rogue AP techniques described in the CVE.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

OpenList Frontend is a UI component for OpenList. Prior to 4.1.10, certificate verification is disabled by default for all storage driver communications. The TlsInsecureSkipVerify setting is default to true in the DefaultConfig() function in internal/conf/config.go. This vulnerability enables Man-in-the-Middle (MitM)…

attacks by disabling TLS certificate verification, allowing attackers to intercept and manipulate all storage communications. Attackers can exploit this through network-level attacks like ARP spoofing, rogue Wi-Fi access points, or compromised internal network equipment to redirect traffic to malicious endpoints. Since certificate validation is skipped, the system will unknowingly establish encrypted connections with attacker-controlled servers, enabling full decryption, data theft, and manipulation of all storage operations without triggering any security warnings. This vulnerability is fixed in 4.1.10.

Deeper analysisAI

CVE-2026-25060 affects OpenList Frontend, a UI component for OpenList, in versions prior to 4.1.10. The vulnerability stems from TLS certificate verification being disabled by default for all storage driver communications, as the TlsInsecureSkipVerify setting is set to true in the DefaultConfig() function within internal/conf/config.go. This misconfiguration allows connections without validating server certificates, exposing communications to interception. The issue is rated with a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-599 (Missing Validation of OpenSSL Certificate).

Remote attackers with network access can exploit this vulnerability through man-in-the-middle (MitM) techniques, such as ARP spoofing, rogue Wi-Fi access points, or compromised internal network equipment, to redirect traffic to malicious endpoints. No privileges or user interaction are required, though the attack demands high complexity to position for interception. Successful exploitation enables full decryption, theft, and manipulation of storage operations, as the system establishes encrypted connections with attacker-controlled servers without security warnings.

The vulnerability is fixed in OpenList version 4.1.10. Mitigation involves upgrading to this release, as detailed in the GitHub commit (e3c664f81d0584fbbdb86ffe6644be16259371c1), release notes (v4.1.10), and security advisory (GHSA-wf93-3ghh-h389).

Details

CWE(s): CWE-599

Affected Products

oplist

openlist

≤ 4.1.10

CVEs Like This One

CVE-2026-25059Same product: Oplist Openlist

References

https://github.com/OpenListTeam/OpenList/commit/e3c664f81d0584fbbdb86ffe6644be16259371c1
Patch · security-advisories@github.com
https://github.com/OpenListTeam/OpenList/releases/tag/v4.1.10
Release Notes · security-advisories@github.com
https://github.com/OpenListTeam/OpenList/security/advisories/GHSA-wf93-3ghh-h389
Vendor Advisory · security-advisories@github.com