CVE-2026-25060 is a vulnerability in the OpenList software developed by OpenListTeam, specifically affecting versions prior to 4.1.10. The root cause is the default configuration setting TlsInsecureSkipVerify=true in the DefaultConfig() function within internal/conf/config.go, which disables TLS certificate verification for all storage driver communications. This means that when OpenList establishes TLS connections to storage backends, it does not validate the authenticity of the server certificates, effectively trusting any presented certificate. This flaw enables attackers positioned on the network path—through techniques such as ARP spoofing, rogue Wi-Fi access points, or compromised internal network devices—to intercept and manipulate encrypted traffic between OpenList and its storage systems. Because certificate validation is skipped, the system will accept attacker-controlled TLS endpoints without warnings, allowing full decryption and modification of data in transit. The vulnerability impacts confidentiality (data theft), integrity (data manipulation), and availability (potential disruption of storage operations). The CVSS v3.1 base score is 8.1, reflecting high severity with network attack vector, high impact on confidentiality, integrity, and availability, and no required privileges or user interaction. Although no known exploits are reported in the wild yet, the ease of exploitation via common network attack methods makes this a significant risk. The issue is resolved in OpenList version 4.1.10 by enabling proper certificate verification by default.

For European organizations, this vulnerability poses a serious risk to the security of storage communications within OpenList deployments. Organizations handling sensitive or regulated data—such as financial institutions, healthcare providers, and government agencies—could suffer data breaches resulting in loss of confidentiality and integrity. Attackers exploiting this vulnerability can intercept and manipulate critical storage data, potentially leading to data corruption, unauthorized data disclosure, or disruption of services relying on OpenList. The risk is heightened in environments with insufficient network segmentation or where internal networks are accessible to untrusted actors. Given the widespread use of OpenList in enterprise environments for storage management, the vulnerability could impact a broad range of sectors across Europe. Additionally, the ability to perform MitM attacks without detection undermines trust in encrypted communications, complicating incident response and forensic analysis.

1. Immediate upgrade of OpenList installations to version 4.1.10 or later, where TLS certificate verification is enabled by default. 2. For environments where immediate upgrade is not feasible, manually set TlsInsecureSkipVerify to false in the configuration to enforce certificate validation. 3. Implement strict network segmentation and access controls to limit exposure of internal storage communication channels. 4. Deploy network monitoring and intrusion detection systems capable of identifying ARP spoofing, rogue access points, and other MitM attack vectors. 5. Use certificate pinning or mutual TLS authentication where possible to further harden storage communications. 6. Conduct regular security audits and penetration testing focused on network infrastructure and storage communication paths. 7. Educate network administrators on the risks of insecure TLS configurations and best practices for secure certificate management.