CVE-2026-31801
Published: 10 March 2026
Summary
CVE-2026-31801 is a high-severity Incorrect Authorization (CWE-863) vulnerability in Zotregistry Zot. Its CVSS base score is 7.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 11.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-24 (Access Control Decisions) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
AC-3 requires systems to enforce approved authorizations for access to resources like manifests, directly preventing the authorization bypass that allowed create-only users to overwrite the 'latest' tag.
AC-24 mandates accurate determination of required actions and authorization decisions for PUT requests, countering the flawed middleware logic that defaulted to 'create' instead of 'update'.
SI-2 ensures timely identification, reporting, and correction of flaws like this authorization bypass, as fixed in zot version 2.1.15.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Public-facing OCI registry auth bypass (PUT /v2/.../manifests) directly enables T1190 exploitation and facilitates T1195.002/T1608.001 by allowing overwrite of trusted images with malicious ones for supply-chain attacks.
NVD Description
zot is ancontainer image/artifact registry based on the Open Container Initiative Distribution Specification. From 1.3.0 to 2.1.14, zot’s dist-spec authorization middleware infers the required action for PUT /v2/{name}/manifests/{reference} as create by default, and only switches to update when the tag…
more
already exists and reference != "latest". As a result, when latest already exists, a user who is allowed to create (but not allowed to update) can still pass the authorization check for an overwrite attempt of latest. This vulnerability is fixed in 2.1.15.
Deeper analysisAI
CVE-2026-31801 is an authorization bypass vulnerability (CWE-863) in zot, a container image and artifact registry implementing the Open Container Initiative (OCI) Distribution Specification. The issue affects versions 1.3.0 through 2.1.14 in zot's dist-spec authorization middleware, which handles PUT requests to /v2/{name}/manifests/{reference}. By default, the middleware infers the required action as "create," switching to "update" only if the tag already exists and the reference is not "latest." This logic flaw allows unauthorized overwrites under specific conditions. The vulnerability has a CVSS v3.1 base score of 7.7 (AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N).
An authenticated attacker with "create" permissions—but lacking "update" permissions—can exploit this when the "latest" tag already exists for a repository. The middleware incorrectly treats the PUT request as a "create" action, passing the authorization check and enabling the attacker to overwrite the existing "latest" manifest. This grants high integrity impact across a changed scope, potentially allowing supply-chain attacks by replacing trusted container images with malicious ones in a registry environment.
The GitHub Security Advisory (GHSA-85jx-fm8m-x8c6) confirms the vulnerability and states it is fixed in zot version 2.1.15. Security practitioners should upgrade to 2.1.15 or later and review access controls for create versus update permissions on repositories with existing "latest" tags.
Details
- CWE(s)