CVE-2026-31801
📋 TL;DR
This vulnerability allows users with 'create' permissions but not 'update' permissions to overwrite the 'latest' tag in zot container registries. It affects zot deployments using authorization middleware with default action inference for manifest PUT operations.
💻 Affected Systems
- zot
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Malicious actors could overwrite critical 'latest' container images with compromised versions, leading to supply chain attacks and unauthorized code execution in downstream systems.
Likely Case
Users with limited permissions could accidentally or intentionally overwrite production container images, causing service disruption or deploying unauthorized changes.
If Mitigated
With proper access controls and monitoring, impact is limited to authorized users making unintended changes that can be detected and rolled back.
🎯 Exploit Status
Exploitation requires valid user credentials with create permissions but not update permissions.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.1.15
Vendor Advisory: https://github.com/project-zot/zot/security/advisories/GHSA-85jx-fm8m-x8c6
Restart Required: Yes
Instructions:
1. Stop zot service. 2. Update to version 2.1.15 or later. 3. Restart zot service. 4. Verify version with 'zot --version'.
🔧 Temporary Workarounds
Disable default action inference
allConfigure authorization middleware to explicitly check update permissions for all manifest PUT operations
Modify zot configuration to set explicit action checks in authorization rules
Restrict 'latest' tag usage
allImplement policies to discourage or prevent use of 'latest' tags in production
Configure deployment pipelines to use specific version tags only
🧯 If You Can't Patch
- Implement strict access controls to ensure users with create permissions also have update permissions
- Enable comprehensive logging and monitoring of all manifest PUT operations, especially for 'latest' tags
🔍 How to Verify
Check if Vulnerable:
Check zot version with 'zot --version' and verify if between 1.3.0 and 2.1.14 inclusiveCheck Version:
zot --versionVerify Fix Applied:
Confirm version is 2.1.15 or later with 'zot --version' and test that users without update permissions cannot overwrite existing 'latest' tags📡 Detection & Monitoring
Log Indicators:
- Multiple PUT requests to /v2/{name}/manifests/latest from users with limited permissions
- Authorization failures for update actions followed by successful create actions
Network Indicators:
- HTTP PUT requests to manifest endpoints with 'latest' reference from unauthorized users
SIEM Query:
source="zot" AND (method="PUT" AND uri="/v2/*/manifests/latest") AND (user.permissions="create" AND NOT user.permissions="update")