VYPR
← All advisories
Critical severityNVD Advisory· Published Feb 4, 2026· Updated Feb 5, 2026

Alist has Insecure TLS Config

CVE-2026-25160

Description

Alist is a file list program that supports multiple storages, powered by Gin and Solidjs. Prior to version 3.57.0, the application disables TLS certificate verification by default for all outgoing storage driver communications, making the system vulnerable to Man-in-the-Middle (MitM) attacks. This enables the complete decryption, theft, and manipulation of all data transmitted during storage operations, severely compromising the confidentiality and integrity of user data. This issue has been patched in version 3.57.0.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Alist prior to v3.57.0 disables TLS certificate verification by default for outgoing storage communications, enabling MitM attacks that decrypt, steal, and modify all transmitted data.

Vulnerability

Description

Alist is a file list program that supports multiple storage backends. Prior to version 3.57.0, the application disables TLS certificate verification by default for all outgoing storage driver communications. The TlsInsecureSkipVerify setting is set to true in the DefaultConfig() function in internal/conf/config.go, meaning that every storage driver connection—whether to cloud storage providers or other services—will accept any TLS certificate without validation [2].

Attack

Vector and Exploitation

This misconfiguration makes the system vulnerable to Man-in-the-Middle (MitM) attacks. An attacker positioned on the network between the Alist server and its storage backends (e.g., via ARP spoofing, rogue Wi-Fi, or compromised network infrastructure) can intercept the TLS connection. Since certificate verification is skipped, the Alist server will unknowingly establish encrypted connections with attacker-controlled servers instead of the legitimate storage endpoints [2]. A proof-of-concept described in the advisory demonstrates this by modifying /etc/hosts to redirect a storage domain to a malicious TLS server, successfully capturing authentication cookies [2].

Impact

Successful exploitation allows the attacker to decrypt, steal, and manipulate all data transmitted during storage operations [1][2]. This can include authentication credentials (such as cookies or tokens for storage providers) and the actual stored file content. The confidentiality and integrity of all user data managed by the Alist instance are severely compromised, and the attack may occur without triggering any security warnings in the application [2].

Mitigation

The vulnerability has been patched in Alist version 3.57.0. The fix changes the TLS configuration to use a global setting that defaults to secure verification, and the system now logs a prominent security warning if TLS certificate verification is explicitly disabled by an administrator [2][4]. Users should update to version 3.57.0 or later immediately. No workaround is available beyond disabling any storage drivers that rely on insecure TLS settings, but a full upgrade is strongly recommended.

References
  1. NVD - CVE-2026-25160
  2. Insecure TLS Config
  3. Merge commit from fork · AlistGo/alist@69629ca

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
github.com/alist-org/alist/v3Go
< 3.57.03.57.0

Affected products

2
  • Alist/Alistllm-fuzzy
    Range: < 3.57.0
  • AlistGo/alistv5
    Range: < 3.57.0

Patches

1
69629ca76a8f

Merge commit from fork

https://github.com/AlistGo/alist千石Feb 3, 2026via ghsa
commit
5 files changed · +13 4
  • drivers/webdav/meta.go+0 1 modified
    @@ -11,7 +11,6 @@ type Addition struct {
 	Username string `json:"username" required:"true"`
 	Password string `json:"password" required:"true"`
 	driver.RootPath
-	TlsInsecureSkipVerify bool `json:"tls_insecure_skip_verify" default:"false"`
 }
 
 var config = driver.Config{
  • drivers/webdav/util.go+2 1 modified
    @@ -6,6 +6,7 @@ import (
 	"net/http/cookiejar"
 
 	"github.com/alist-org/alist/v3/drivers/webdav/odrvcookie"
+	"github.com/alist-org/alist/v3/internal/conf"
 	"github.com/alist-org/alist/v3/internal/model"
 	"github.com/alist-org/alist/v3/pkg/gowebdav"
 )
@@ -20,7 +21,7 @@ func (d *WebDav) setClient() error {
 	c := gowebdav.NewClient(d.Address, d.Username, d.Password)
 	c.SetTransport(&http.Transport{
 		Proxy:           http.ProxyFromEnvironment,
-		TLSClientConfig: &tls.Config{InsecureSkipVerify: d.TlsInsecureSkipVerify},
+		TLSClientConfig: &tls.Config{InsecureSkipVerify: conf.Conf.TlsInsecureSkipVerify},
 	})
 	if d.isSharepoint() {
 		cookie, err := odrvcookie.GetCookie(d.Username, d.Password, d.Address)
  • internal/bootstrap/config.go+9 0 modified
    @@ -70,6 +70,15 @@ func InitConfig() {
 	if !conf.Conf.Force {
 		confFromEnv()
 	}
+	if conf.Conf.TlsInsecureSkipVerify {
+		log.Warn("SECURITY WARNING / 安全警告:")
+		log.Warn("TLS certificate verification is disabled.")
+		log.Warn("TLS 证书校验已被禁用。")
+		log.Warn("This exposes all storage traffic to MitM attacks and may leak credentials or allow data tampering.")
+		log.Warn("这会使所有存储通信暴露于中间人攻击(MitM),可能导致凭据泄露和数据被篡改。")
+		log.Warn("Only use this setting if you fully understand the risks.")
+		log.Warn("仅在你完全理解风险的情况下使用该配置。")
+	}
 	// convert abs path
 	if !filepath.IsAbs(conf.Conf.TempDir) {
 		absPath, err := filepath.Abs(conf.Conf.TempDir)
  • internal/conf/config.go+1 1 modified
    @@ -156,7 +156,7 @@ func DefaultConfig() *Config {
 		},
 		MaxConnections:        0,
 		MaxConcurrency:        64,
-		TlsInsecureSkipVerify: true,
+		TlsInsecureSkipVerify: false,
 		Tasks: TasksConfig{
 			Download: TaskConfig{
 				Workers:  5,
  • server/handles/ldap_login.go+1 1 modified
    @@ -150,7 +150,7 @@ func dial(ldapServer string) (*ldap.Conn, error) {
 	}
 
 	if tlsEnabled {
-		return ldap.DialTLS("tcp", ldapServer, &tls.Config{InsecureSkipVerify: true})
+		return ldap.DialTLS("tcp", ldapServer, &tls.Config{InsecureSkipVerify: conf.Conf.TlsInsecureSkipVerify})
 	} else {
 		return ldap.Dial("tcp", ldapServer)
 	}

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.