CVE-2026-31801

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-31801

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-31801.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-31801

Aliases

Downstream

SUSE-SU-2026:1042-1

Related

SUSE-SU-2026:1042-1

Published

2026-03-10T20:54:15.164Z

Modified

2026-04-02T13:23:51.075963Z

Severity

7.7 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N CVSS Calculator

Summary

zot create-only policy allows overwrite attempts of existing latest tag (update permission not required)

Details

zot is ancontainer image/artifact registry based on the Open Container Initiative Distribution Specification. From 1.3.0 to 2.1.14, zot’s dist-spec authorization middleware infers the required action for PUT /v2/{name}/manifests/{reference} as create by default, and only switches to update when the tag already exists and reference != "latest". As a result, when latest already exists, a user who is allowed to create (but not allowed to update) can still pass the authorization check for an overwrite attempt of latest. This vulnerability is fixed in 2.1.15.

Database specific

{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-863"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31801.json"
}

References

Affected packages

Git / github.com/project-zot/zot

Affected ranges

Type: GIT
Repo: https://github.com/project-zot/zot
Events: Introduced

c8779d9e87d9ca000fcaf82732071787a345a377

Fixed

ace12e2a12d0e104f6fb0aecf162b29e8c67b8a9

Affected versions

v1.*

v1.3.0

v1.3.1

v1.3.2

v1.3.3

v1.3.4

v1.3.5

v1.3.6

v1.3.7

v1.3.8

v1.3.8-rc2

v1.3.8-rc3

v1.3.9

v1.4.0

v1.4.0-rc1

v1.4.0-rc2

v1.4.0-rc3

v1.4.0-rc4

v1.4.1

v1.4.1-rc1

v1.4.1-rc2

v1.4.1-rc3

v1.4.1-rc4

v1.4.1-rc5

v1.4.1-rc6

v1.4.2

v1.4.2-rc1

v1.4.2-rc2

v1.4.2-rc3

v1.4.2-rc4

v1.4.2-rc5

v1.4.2-rc6

v1.4.3

v1.4.3-rc1

v1.4.3-rc2

v1.4.3-rc3

v1.4.3-rc4

v1.4.3-rc5

v1.4.3-rc6

v1.4.3-rc7

v1.4.3-rc8

v1.4.3-rc9

v2.*

v2.0.0

v2.0.0-rc1

v2.0.0-rc2

v2.0.0-rc3

v2.0.0-rc4

v2.0.0-rc5

v2.0.0-rc6

v2.0.0-rc7

v2.0.0-rc8

v2.0.1

v2.0.1-rc1

v2.0.1-rc2

v2.0.2

v2.0.2-rc1

v2.0.2-rc2

v2.0.2-rc3

v2.0.3

v2.0.4

v2.1.0

v2.1.0-rc1

v2.1.0-rc2

v2.1.1

v2.1.10

v2.1.11

v2.1.12

v2.1.13

v2.1.14

v2.1.2

v2.1.2-rc1

v2.1.2-rc2

v2.1.2-rc3

v2.1.2-rc4

v2.1.2-rc5

v2.1.3

v2.1.3-rc1

v2.1.3-rc2

v2.1.3-rc3

v2.1.3-rc4

v2.1.3-rc5

v2.1.3-rc6

v2.1.4

v2.1.5

v2.1.6

v2.1.7

v2.1.8

v2.1.9

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-31801.json"