CVE-2026-31801

zot is ancontainer image/artifact registry based on the Open Container Initiative Distribution Specification. From 1.3.0 to 2.1.14, zot’s dist-spec authorization middleware infers the required action for PUT /v2/{name}/manifests/{reference} as create by default, and only switches to update when the tag already exists and reference != "latest". As a result, when latest already exists, a user who is allowed to create (but not allowed to update) can still pass the authorization check for an overwrite attempt of latest. This vulnerability is fixed in 2.1.15.

CVSS v3 7.7 HIGH

7.7^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.1 / Impact : 4.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/project-zot/zot/security/advisories/GHSA-85jx-fm8m-x8c6	Exploit Mitigation Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:zotregistry:zot:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-03-10 21:16

Updated : 2026-03-18 19:30

NVD link : CVE-2026-31801

Mitre link : CVE-2026-31801

CVE.ORG link : CVE-2026-31801

JSON object : View

Products Affected

zotregistry

zot

CWE

CWE-863

Incorrect Authorization

{"id": "CVE-2026-31801", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 4.0, "exploitabilityScore": 3.1}]}, "published": "2026-03-10T21:16:49.850", "references": [{"url": "https://github.com/project-zot/zot/security/advisories/GHSA-85jx-fm8m-x8c6", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-863"}]}], "descriptions": [{"lang": "en", "value": "zot is ancontainer image/artifact registry based on the Open Container Initiative Distribution Specification. From 1.3.0 to 2.1.14, zot\u2019s dist-spec authorization middleware infers the required action for PUT /v2/{name}/manifests/{reference} as create by default, and only switches to update when the tag already exists and reference != \"latest\". As a result, when latest already exists, a user who is allowed to create (but not allowed to update) can still pass the authorization check for an overwrite attempt of latest. This vulnerability is fixed in 2.1.15."}, {"lang": "es", "value": "zot es un registro de im\u00e1genes/artefactos de contenedores basado en la Especificaci\u00f3n de Distribuci\u00f3n de Open Container Initiative. Desde la versi\u00f3n 1.3.0 hasta la 2.1.14, el middleware de autorizaci\u00f3n dist-spec de zot infiere la acci\u00f3n requerida para PUT /v2/{name}/manifests/{reference} como 'crear' por defecto, y solo cambia a 'actualizar' cuando la etiqueta ya existe y reference != 'latest'. Como resultado, cuando 'latest' ya existe, un usuario al que se le permite crear (pero no se le permite actualizar) a\u00fan puede pasar la verificaci\u00f3n de autorizaci\u00f3n para un intento de sobrescritura de 'latest'. Esta vulnerabilidad se corrige en la versi\u00f3n 2.1.15."}], "lastModified": "2026-03-18T19:30:20.843", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:zotregistry:zot:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "221F7F0D-2FD7-45AB-9A1A-5F1AFA35153F", "versionEndExcluding": "2.1.15", "versionStartIncluding": "1.3.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}