CVE-2026-25160: Alist has Insecure TLS Config

February 4, 2026 (updated June 23, 2026)

The application disables TLS certificate verification by default for all outgoing storage driver communications, making the system vulnerable to Man-in-the-Middle (MitM) attacks. This enables the complete decryption, theft, and manipulation of all data transmitted during storage operations, severely compromising the confidentiality and integrity of user data.

References

github.com/AlistGo/alist/commit/69629ca76a8f2c8c973ede3b616f93aa26ff23fb
github.com/AlistGo/alist/releases/tag/v3.57.0
github.com/AlistGo/alist/security/advisories/GHSA-8jmm-3xwx-w974
github.com/advisories/GHSA-8jmm-3xwx-w974
nvd.nist.gov/vuln/detail/CVE-2026-25160

Code Behaviors & Features

Detect and mitigate CVE-2026-25160 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →