CVE-2026-25161 in alist
Summary
by MITRE • 02/04/2026
Alist is a file list program that supports multiple storages, powered by Gin and Solidjs. Prior to version 3.57.0, the application contains path traversal vulnerability in multiple file operation handlers. An authenticated attacker can bypass directory-level authorisation by injecting traversal sequences into filename components, enabling unauthorised file removal, movement and copying across user boundaries within the same storage mount. This issue has been patched in version 3.57.0.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 02/20/2026
The vulnerability identified as CVE-2026-25161 affects Alist, a popular file list application that supports multiple storage systems and utilizes the Gin framework for backend operations alongside Solidjs for frontend rendering. This path traversal flaw exists in the file operation handlers of the application and represents a critical security weakness that undermines the integrity of user access controls. The vulnerability specifically targets the authorization mechanisms that should prevent users from accessing files outside their designated directories, creating a scenario where legitimate users can exploit the system to gain unauthorized access to resources they should not be able to reach.
The technical implementation of this vulnerability stems from insufficient input validation within the file operation handlers that process filename components. When an authenticated attacker submits maliciously crafted traversal sequences such as ../ or ..\ within filename parameters, the application fails to properly sanitize these inputs before processing file operations. This allows the attacker to manipulate the intended file paths and navigate beyond the designated storage boundaries. The vulnerability manifests in operations involving file removal, movement, and copying, making it particularly dangerous as it enables not just read access but also modification and deletion of files across user permissions. This type of flaw directly aligns with CWE-22, which describes improper limitation of a pathname to a restricted directory, commonly known as path traversal or directory traversal attacks.
The operational impact of this vulnerability extends beyond simple unauthorized file access, creating significant risks for data integrity and user privacy within the Alist environment. An authenticated attacker can leverage this weakness to move files between user accounts within the same storage mount, effectively bypassing the application's user isolation mechanisms. This cross-user file manipulation capability means that sensitive data could be accessed, modified, or deleted by unauthorized users, potentially leading to data loss, privacy breaches, or system compromise. The vulnerability affects all versions prior to 3.57.0, indicating that organizations running older versions of Alist are exposed to this risk, particularly in environments where multiple users share the same storage resources.
The remediation for CVE-2026-25161 requires immediate deployment of version 3.57.0 or later, which includes proper input sanitization and path validation measures. Security teams should implement comprehensive testing procedures to verify that the patch effectively addresses the path traversal vectors and does not introduce regressions in legitimate file operations. Organizations should also conduct thorough audits of their Alist installations to identify any potential exploitation attempts and monitor system logs for suspicious file operation patterns. From a defensive perspective, this vulnerability demonstrates the importance of implementing proper input validation and access control mechanisms, aligning with ATT&CK technique T1078 which covers valid accounts and privilege escalation. The fix should include robust sanitization of all user-supplied path components and enforcement of strict directory boundaries, ensuring that file operations remain confined to authorized storage locations and user permissions.