CVE-2026-25160 – Alist Certificate Validation Bypass Vulnerability
“When a system stops verifying certificates, attackers can quietly sit in the middle and read or change everything.”
This patch addresses a critical certificate validation bypass vulnerability (CVE-2026-25160) in Alist, a file listing and multi-storage management platform. The issue affects Alist versions prior to 3.57.0, where TLS certificate verification for storage driver communications was disabled by default. This weakness allowed attackers to impersonate trusted services and intercept communications between Alist and connected storage backends.
The vulnerability enables Man-in-the-Middle attacks, allowing attackers to intercept, view, and manipulate sensitive data transferred between Alist and external storage services. Because the issue can be exploited over the network without authentication, it significantly impacts the confidentiality and integrity of stored files. CVE-2026-25160 has a CVSS v3.1 score of 9.1 (Critical).
The patch released in Alist version 3.57.0 restores proper TLS certificate verification and removes the insecure configuration that allowed connections to proceed without validating server authenticity. Proof-of-concept exploit code is publicly available.
Key Details
- Affected Product
- Alistgo Alist
- Attack Vector
- Network
- Attack Complexity
- Low
- Privileges Required
- None
- User Interaction
- None
- CWE Classification
- CWE-295