VDB
CVE-2026-31801
CVE-2026-31801
PUBLISHED
CVSS 7.699999809265137 HIGH
zot is ancontainer image/artifact registry based on the Open Container Initiative Distribution Specification. From 1.3.0 to 2.1.14, zot’s dist-spec authorization middleware infers the required action for PUT /v2/{name}/manifests/{reference} as create by default, and only switches to update when the tag already exists and reference != "latest". As a result, when latest already exists, a user who is allowed to create (but not allowed to update) can still pass the authorization check for an overwrite attempt of latest. This vulnerability is fixed in 2.1.15.
EPSS 0.04% · 13.8th percentile
Risk Scores
CVSS v3.1
7.699999809265137
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N
EPSS Score
0.04%
13.8th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| zotregistry.dev | zot | 1.3.0-20210831063041-c8779d9e87d9, 1.3.0-20210831063041-c8779d9e87d9 |
| zotregistry.dev | zot/v2 | 0, 0 |
| project-zot | zot | >= 1.3.0, < v2.1.15, * |
| zotregistry | zot | 1.3.0, 1.3.0 |
Timeline
- Mar 10, 2026 CVE Published
- Mar 11, 2026 EPSS Score
- Mar 12, 2026 EPSS Score
- Mar 13, 2026 EPSS Score
- Mar 14, 2026 EPSS Score
- Mar 15, 2026 EPSS Score
- Mar 16, 2026 EPSS Score
- Mar 17, 2026 EPSS Score
- Mar 17, 2026 Coalition ESS Score
- Mar 17, 2026 Security Advisory
- Mar 18, 2026 EPSS Score
- Mar 18, 2026 CVE Updated