← Retour aux CVEs
CVE-2026-31801
HIGH7.7
Description
zot is ancontainer image/artifact registry based on the Open Container Initiative Distribution Specification. From 1.3.0 to 2.1.14, zot’s dist-spec authorization middleware infers the required action for PUT /v2/{name}/manifests/{reference} as create by default, and only switches to update when the tag already exists and reference != "latest". As a result, when latest already exists, a user who is allowed to create (but not allowed to update) can still pass the authorization check for an overwrite attempt of latest. This vulnerability is fixed in 2.1.15.
Details CVE
Score CVSS v3.17.7
SeveriteHIGH
Vecteur CVSSCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N
Vecteur d'attaqueNETWORK
ComplexiteLOW
Privileges requisLOW
Interaction utilisateurNONE
Publie3/10/2026
Derniere modification3/18/2026
Sourcenvd
Observations honeypot0
Produits affectes
zotregistry:zot
Faiblesses (CWE)
CWE-863
References
https://github.com/project-zot/zot/security/advisories/GHSA-85jx-fm8m-x8c6(security-advisories@github.com)
Correlations IOC
Aucune correlation enregistree
This product uses data from the NVD API but is not endorsed or certified by the NVD.