Skip to content

zot

Artifact Management

zot - A scale-out production-ready vendor-neutral OCI-native container image/artifact registry (purely based on OCI Distribution Specification)

Track releases GitHub Website
Go Latest v2.1.17 · 16d ago Security brief →

Security Response History

1 CVE
CVE Severity Disclosed Patched (this tool) vs Ecosystem Median
CVE-2026-33634 KEV unknown
CVSS 8.8
 2026-03-24 2026-05-18 54d

Recent releases

View all 4 releases →
Review required
v2.1.17 Security relevant
Auth RBAC

OIDC logout + CEL access control

patches CVE-2026-33634
Open
v2.1.16 Mixed
Security fixes
  • Limit manifest PUT body to 4 MiB (INPUT-1)
  • Limit API key creation body to 4 KiB (INPUT-2)
  • Suppress Allow-Credentials on wildcard CORS origin (CORS-1)
Notable features
  • Support pushing multiple tags for a single manifest
  • Add repository quota enforcement middleware
  • Configuration JSON Schema dump command
Full changelog

What's Changed

  • chore: fix dependabot alerts by @rchincha in https://github.com/project-zot/zot/pull/3860
  • fix(search): expose LastPullTimestamp and PushedBy on index ImageSummary by @cainydev in https://github.com/project-zot/zot/pull/3865
  • chore: fix dependabot alerts by @rchincha in https://github.com/project-zot/zot/pull/3880
  • feat(zb): list tests, test regex filter, docs update by @vrajashkr in https://github.com/project-zot/zot/pull/3884
  • ci: use zot localstack image and consolidate on using the setup localstack GH action by @andaaron in https://github.com/project-zot/zot/pull/3899
  • chore: fix dependabot alerts by @rchincha in https://github.com/project-zot/zot/pull/3896
  • chore: pin trivy-action to safe version by @andaaron in https://github.com/project-zot/zot/pull/3897
  • feat(schema): add schema command to dump JSON Schema for zot config by @rchincha in https://github.com/project-zot/zot/pull/3905
  • feat: support pushing multiple tags for a single manifest by @andaaron in https://github.com/project-zot/zot/pull/3885
  • fix(storage/gcs): fix double-prefixed rootdirectory and EOF handling in Walk for GCS by @thees in https://github.com/project-zot/zot/pull/3903
  • test(blackbox): harden zot restart + reachability checks by @andaaron in https://github.com/project-zot/zot/pull/3907
  • chore: fix dependabot alerts by @rchincha in https://github.com/project-zot/zot/pull/3921
  • test: add tests for pushing manifests with non-canonical digests together with tags by @andaaron in https://github.com/project-zot/zot/pull/3920
  • chore: fix dependabot alerts by @rchincha in https://github.com/project-zot/zot/pull/3931
  • build: bump zui version to commit-1c8e5ef by @rchincha in https://github.com/project-zot/zot/pull/3932
  • chore: fix dependabot alerts by @rchincha in https://github.com/project-zot/zot/pull/3940
  • fix: address code review comments by @andaaron in https://github.com/project-zot/zot/pull/3942
  • feat: Add TrivyConfig.VulnSeveritySources (Trivy's --vuln-severity-source) by @andaaron in https://github.com/project-zot/zot/pull/3943
  • chore: fix dependabot alerts by @rchincha in https://github.com/project-zot/zot/pull/3947
  • ci: fix nightly test by @rchincha in https://github.com/project-zot/zot/pull/3948
  • chore: fix dependabot alerts by @rchincha in https://github.com/project-zot/zot/pull/3953
  • Pin actions and tighten workflow permissions by @benoittgt in https://github.com/project-zot/zot/pull/3954
  • fix(ci): pass GITHUB_TOKEN explicitly to oras login in sync-trivy step by @rchincha in https://github.com/project-zot/zot/pull/3961
  • chore: fix dependabot alerts by @rchincha in https://github.com/project-zot/zot/pull/3964
  • feat(api): add repository quota enforcement middleware by @Aluchir in https://github.com/project-zot/zot/pull/3923
  • fix: Updating a repository should not result in a corrupted index.json file if disk is full by @andaaron in https://github.com/project-zot/zot/pull/3963
  • chore: fix dependabot alerts by @rchincha in https://github.com/project-zot/zot/pull/3968
  • fix(auth): add workaround for Docker client auth with mixed anonymous policies by @andaaron in https://github.com/project-zot/zot/pull/3868
  • chore: fix dependabot alerts by @rchincha in https://github.com/project-zot/zot/pull/3971
  • fix(security): limit manifest PUT body to 4 MiB (INPUT-1) by @rchincha in https://github.com/project-zot/zot/pull/3977
  • fix(security): limit API key creation body to 4 KiB (INPUT-2) by @rchincha in https://github.com/project-zot/zot/pull/3978
  • security: suppress Allow-Credentials on wildcard CORS origin (CORS-1) by @rchincha in https://github.com/project-zot/zot/pull/3980
  • fix(security): remove InsecureSkipVerify from metrics client (TLS-1) by @rchincha in https://github.com/project-zot/zot/pull/3982

New Contributors

  • @cainydev made their first contribution in https://github.com/project-zot/zot/pull/3865
  • @thees made their first contribution in https://github.com/project-zot/zot/pull/3903
  • @benoittgt made their first contribution in https://github.com/project-zot/zot/pull/3954
  • @Aluchir made their first contribution in https://github.com/project-zot/zot/pull/3923

Full Changelog: https://github.com/project-zot/zot/compare/v2.1.15...v2.1.16

View release on GitHub
v2.1.15 New feature patches GHSA-85jx-fm8m-x8c6 patches GO-2026-4668
Security fixes
  • Fixed open redirect vulnerability via callback_ui
Notable features
  • Per-issuer CA configuration for OIDC
  • JWT expiration at access entry level
  • AWS Secrets Manager for JWT verification
View release on GitHub
v2.1.14 Security relevant
Security fixes
  • CVE-2025-30204 - golang-jwt DoS vulnerability via excessive memory allocation
Notable features
  • OIDC workload identity federation support
View release on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

About

Stars
2,273
Forks
217
Languages
Go Shell Makefile
View on GitHub Homepage Documentation

Similar tools

oras
Podman
StacklokLabs/ocireg-mcp
kitops
distribution

Beta — feedback welcome: [email protected]