Home

Description

zot is ancontainer image/artifact registry based on the Open Container Initiative Distribution Specification. From 1.3.0 to 2.1.14, zot’s dist-spec authorization middleware infers the required action for PUT /v2/{name}/manifests/{reference} as create by default, and only switches to update when the tag already exists and reference != "latest". As a result, when latest already exists, a user who is allowed to create (but not allowed to update) can still pass the authorization check for an overwrite attempt of latest. This vulnerability is fixed in 2.1.15.

PUBLISHED Reserved 2026-03-09 | Published 2026-03-10 | Updated 2026-03-11 | Assigner GitHub_M




HIGH: 7.7CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N

Problem types

CWE-863: Incorrect Authorization

Product status

>= 1.3.0, < v2.1.15
affected

References

github.com/...ot/zot/security/advisories/GHSA-85jx-fm8m-x8c6

cve.org (CVE-2026-31801)

nvd.nist.gov (CVE-2026-31801)

Download JSON