Cyber Resilience

CVE-2026-31801

HighPublic PoC

Published: 10 March 2026

Published
10 March 2026
Modified
18 March 2026
KEV Added
Patch
CVSS Score v3.1 7.7 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N
EPSS Score 0.0004 13.8th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-31801 is a high-severity Incorrect Authorization (CWE-863) vulnerability in Zotregistry Zot. Its CVSS base score is 7.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 13.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-24 (Access Control Decisions) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2026-31801 is an authorization bypass vulnerability (CWE-863) in zot, a container image and artifact registry implementing the Open Container Initiative (OCI) Distribution Specification. The issue affects versions 1.3.0 through 2.1.14 in zot's dist-spec authorization middleware, which handles PUT requests to /v2/{name}/manifests/{reference}. By default, the middleware infers the required action as "create," switching to "update" only if the tag already exists and the reference is not "latest." This logic flaw allows unauthorized overwrites under specific conditions. The vulnerability has a CVSS v3.1 base score of 7.7 (AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N).

An authenticated attacker with "create" permissions—but lacking "update" permissions—can exploit this when the "latest" tag already exists for a repository. The middleware incorrectly treats the PUT request as a "create" action, passing the authorization check and enabling the attacker to overwrite the existing "latest" manifest. This grants high integrity impact across a changed scope, potentially allowing supply-chain attacks by replacing trusted container images with malicious ones in a registry environment.

The GitHub Security Advisory (GHSA-85jx-fm8m-x8c6) confirms the vulnerability and states it is fixed in zot version 2.1.15. Security practitioners should upgrade to 2.1.15 or later and review access controls for create versus update permissions on repositories with existing "latest" tags.

EU & UK References

Vulnerability details

zot is ancontainer image/artifact registry based on the Open Container Initiative Distribution Specification. From 1.3.0 to 2.1.14, zot’s dist-spec authorization middleware infers the required action for PUT /v2/{name}/manifests/{reference} as create by default, and only switches to update when the tag…

more

already exists and reference != "latest". As a result, when latest already exists, a user who is allowed to create (but not allowed to update) can still pass the authorization check for an overwrite attempt of latest. This vulnerability is fixed in 2.1.15.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1195.002 Compromise Software Supply Chain Initial Access
Adversaries may manipulate application software prior to receipt by a final consumer for the purpose of data or system compromise.
T1608.001 Upload Malware Resource Development
Adversaries may upload malware to third-party or adversary controlled infrastructure to make it accessible during targeting.
Why these techniques?

Public-facing OCI registry auth bypass (PUT /v2/.../manifests) directly enables T1190 exploitation and facilitates T1195.002/T1608.001 by allowing overwrite of trusted images with malicious ones for supply-chain attacks.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-23208Same product: Zotregistry Zot
CVE-2026-3136Shared CWE-863
CVE-2025-21565Shared CWE-863
CVE-2026-46823Shared CWE-863
CVE-2026-44260Shared CWE-863
CVE-2024-13277Shared CWE-863
CVE-2025-30743Shared CWE-863
CVE-2026-30947Shared CWE-863
CVE-2026-34453Shared CWE-863
CVE-2025-54253Shared CWE-863

Affected Assets

zotregistry
zot
1.3.0 — 2.1.15

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

AC-3 requires systems to enforce approved authorizations for access to resources like manifests, directly preventing the authorization bypass that allowed create-only users to overwrite the 'latest' tag.

prevent

AC-24 mandates accurate determination of required actions and authorization decisions for PUT requests, countering the flawed middleware logic that defaulted to 'create' instead of 'update'.

prevent

SI-2 ensures timely identification, reporting, and correction of flaws like this authorization bypass, as fixed in zot version 2.1.15.

References