CVE-2026-31801

Name of the Vulnerable Software and Affected Versions zot versions 1.3.0 through 2.1.14

Description zot is a container image/artifact registry based on the Open Container Initiative Distribution Specification. The dist-spec authorization middleware incorrectly infers the required action for PUT requests to the /v2/{name}/manifests/{reference} API endpoint as 'create' by default. It only switches to 'update' when the tag already exists and the reference is not 'latest'. This allows a user permitted to create, but not update, to overwrite the 'latest' tag when it already exists, bypassing authorization checks. The vulnerable parameter is reference.

Recommendations Update to version 2.1.15 or later.