CVE-2026-31801 Overview
CVE-2026-31801 is an authorization bypass vulnerability affecting zot, a container image and artifact registry based on the Open Container Initiative (OCI) Distribution Specification. The vulnerability exists in the dist-spec authorization middleware, which incorrectly infers the required action for manifest PUT requests. This flaw allows users with only create permissions to overwrite the latest tag, bypassing update authorization requirements.
Critical Impact
Attackers with create-only permissions can overwrite critical container image tags, potentially injecting malicious images into production environments.
Affected Products
- zot versions 1.3.0 through 2.1.14
- Container registries using vulnerable zot deployments
- OCI-compliant registries built on affected zot versions
Discovery Timeline
- 2026-03-10 - CVE CVE-2026-31801 published to NVD
- 2026-03-11 - Last updated in NVD database
Technical Details for CVE-2026-31801
Vulnerability Analysis
This authorization bypass vulnerability (CWE-863: Incorrect Authorization) stems from flawed logic in zot's dist-spec authorization middleware. The middleware is responsible for determining whether a user request requires create or update permissions when handling manifest PUT operations at the /v2/{name}/manifests/{reference} endpoint.
The core issue lies in the default action inference: the middleware assumes create by default and only switches to update when a tag already exists AND the reference is not latest. This creates a critical gap where the latest tag receives special treatment that undermines access control.
When a user attempts to overwrite an existing latest tag, the authorization check incorrectly evaluates the request as a create operation. Users who are explicitly denied update permissions but granted create permissions can successfully overwrite the latest manifest, violating the intended access control policy.
Root Cause
The root cause is improper conditional logic in the authorization middleware's action inference mechanism. The code path that determines whether to enforce create versus update permissions fails to properly handle the latest tag case. Specifically, when reference == "latest", the conditional check to switch from create to update is bypassed, allowing unauthorized overwrites.
This represents a classic authorization bypass where the permission model does not match the actual operation being performed. The vulnerability demonstrates that special-case handling of the latest tag introduced a security gap in the access control system.
Attack Vector
The attack can be executed remotely over the network by any authenticated user with create permissions on a repository. The attacker sends a PUT request to /v2/{repository}/manifests/latest with a malicious manifest payload. Because the authorization middleware incorrectly treats this as a create action, the request bypasses the update permission check and successfully overwrites the existing latest tag.
This is particularly dangerous because the latest tag is commonly used as the default in container deployments. An attacker could replace legitimate container images with malicious ones, leading to supply chain compromise when systems pull and run the latest tag.
Detection Methods for CVE-2026-31801
Indicators of Compromise
- Unexpected manifest changes to latest tags in container repositories
- PUT requests to /v2/{name}/manifests/latest from users with create-only permissions
- Audit logs showing manifest overwrites without corresponding update permission grants
- Container image digest mismatches for latest tags compared to expected values
Detection Strategies
- Monitor zot registry access logs for PUT operations targeting latest manifests
- Implement image signing and verification to detect unauthorized image replacements
- Compare container image digests against known-good baselines before deployment
- Review user permission assignments for any accounts with create-only (no update) permissions
Monitoring Recommendations
- Enable verbose logging for all manifest operations in zot registries
- Set up alerts for any manifest modifications to production-critical repositories
- Implement continuous integrity monitoring for frequently-pulled container tags
- Deploy admission controllers to validate image signatures at deployment time
How to Mitigate CVE-2026-31801
Immediate Actions Required
- Upgrade zot to version 2.1.15 or later immediately
- Audit all repository permissions to identify accounts with create-only access
- Review recent manifest changes to latest tags for signs of unauthorized modification
- Implement image signing policies to provide defense-in-depth
Patch Information
The vulnerability is fixed in zot version 2.1.15. The patch corrects the authorization middleware logic to properly enforce update permissions when overwriting any existing tag, including latest. Organizations should upgrade to the patched version as soon as possible. For detailed information about the fix, refer to the GitHub Security Advisory.
Workarounds
- Restrict create permissions to only trusted users who should also have update access
- Implement external image signing and verification using tools like cosign or Notary
- Deploy network-level controls to limit registry access to authorized systems
- Use immutable tags or digests instead of relying on the latest tag for production deployments
# Review current zot version
zot --version
# Upgrade to patched version 2.1.15
# Follow your deployment method (binary, container, helm chart)
# Example for container deployment:
docker pull ghcr.io/project-zot/zot-linux-amd64:v2.1.15
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
