{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31801", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-09T16:33:42.913Z", "datePublished": "2026-03-10T20:54:15.164Z", "dateUpdated": "2026-03-11T16:00:33.441Z"}, "containers": {"cna": {"title": "zot create-only policy allows overwrite attempts of existing latest tag (update permission not required)", "problemTypes": [{"descriptions": [{"cweId": "CWE-863", "lang": "en", "description": "CWE-863: Incorrect Authorization", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/project-zot/zot/security/advisories/GHSA-85jx-fm8m-x8c6", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/project-zot/zot/security/advisories/GHSA-85jx-fm8m-x8c6"}], "affected": [{"vendor": "project-zot", "product": "zot", "versions": [{"version": ">= 1.3.0, < v2.1.15", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-10T20:54:15.164Z"}, "descriptions": [{"lang": "en", "value": "zot is ancontainer image/artifact registry based on the Open Container Initiative Distribution Specification. From 1.3.0 to 2.1.14, zot\u2019s dist-spec authorization middleware infers the required action for PUT /v2/{name}/manifests/{reference} as create by default, and only switches to update when the tag already exists and reference != \"latest\". As a result, when latest already exists, a user who is allowed to create (but not allowed to update) can still pass the authorization check for an overwrite attempt of latest. This vulnerability is fixed in 2.1.15."}], "source": {"advisory": "GHSA-85jx-fm8m-x8c6", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-11T15:37:29.566804Z", "id": "CVE-2026-31801", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-11T16:00:33.441Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"cna": {"title": "zot create-only policy allows overwrite attempts of existing latest tag (update permission not required)", "source": {"advisory": "GHSA-85jx-fm8m-x8c6", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "project-zot", "product": "zot", "versions": [{"status": "affected", "version": ">= 1.3.0, < v2.1.15"}]}], "references": [{"url": "https://github.com/project-zot/zot/security/advisories/GHSA-85jx-fm8m-x8c6", "name": "https://github.com/project-zot/zot/security/advisories/GHSA-85jx-fm8m-x8c6", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "zot is ancontainer image/artifact registry based on the Open Container Initiative Distribution Specification. From 1.3.0 to 2.1.14, zot\u2019s dist-spec authorization middleware infers the required action for PUT /v2/{name}/manifests/{reference} as create by default, and only switches to update when the tag already exists and reference != \"latest\". As a result, when latest already exists, a user who is allowed to create (but not allowed to update) can still pass the authorization check for an overwrite attempt of latest. This vulnerability is fixed in 2.1.15."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-863", "description": "CWE-863: Incorrect Authorization"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-10T20:54:15.164Z"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-31801", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-11T15:37:29.566804Z"}}}], "providerMetadata": {"shortName": "CISA-ADP", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "dateUpdated": "2026-03-11T15:37:35.589Z"}}]}, "cveMetadata": {"cveId": "CVE-2026-31801", "state": "PUBLISHED", "dateUpdated": "2026-03-10T20:54:15.164Z", "dateReserved": "2026-03-09T16:33:42.913Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-10T20:54:15.164Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:zotregistry:zot:*:*:*:*:*:*:*:*", "matchCriteriaId": "221F7F0D-2FD7-45AB-9A1A-5F1AFA35153F", "versionEndExcluding": "2.1.15", "versionStartIncluding": "1.3.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "zot is ancontainer image/artifact registry based on the Open Container Initiative Distribution Specification. From 1.3.0 to 2.1.14, zot\u2019s dist-spec authorization middleware infers the required action for PUT /v2/{name}/manifests/{reference} as create by default, and only switches to update when the tag already exists and reference != \"latest\". As a result, when latest already exists, a user who is allowed to create (but not allowed to update) can still pass the authorization check for an overwrite attempt of latest. This vulnerability is fixed in 2.1.15."}, {"lang": "es", "value": "zot es un registro de im\u00e1genes/artefactos de contenedores basado en la Especificaci\u00f3n de Distribuci\u00f3n de Open Container Initiative. Desde la versi\u00f3n 1.3.0 hasta la 2.1.14, el middleware de autorizaci\u00f3n dist-spec de zot infiere la acci\u00f3n requerida para PUT /v2/{name}/manifests/{reference} como 'crear' por defecto, y solo cambia a 'actualizar' cuando la etiqueta ya existe y reference != 'latest'. Como resultado, cuando 'latest' ya existe, un usuario al que se le permite crear (pero no se le permite actualizar) a\u00fan puede pasar la verificaci\u00f3n de autorizaci\u00f3n para un intento de sobrescritura de 'latest'. Esta vulnerabilidad se corrige en la versi\u00f3n 2.1.15."}], "id": "CVE-2026-31801", "lastModified": "2026-03-18T19:30:20.843", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 4.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-10T21:16:49.850", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/project-zot/zot/security/advisories/GHSA-85jx-fm8m-x8c6"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[1.3.0,2.1.15)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "zot", "source": "cna", "vendor": "project-zot"}, "product": "zot", "vendor": "project-zot"}], "created": "2026-03-11T11:42:10.308587+00:00", "updated": "2026-03-11T11:42:10.308697+00:00", "vendors": ["project-zot", "project-zot$PRODUCT$zot"]}