diff --git a/CHANGELOG.md b/CHANGELOG.md
index ab2bda8a024..d408627a746 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,11 @@
 
 ## 92 Release Notes
 
+### AWS ECR Docker Remote Hashing
+* Fixed an issue where ECR images without an explicit repository prefix
+(e.g., `123456789012.dkr.ecr.us-east-1.amazonaws.com/example-tool`) would fail during remote hash computation due to incorrect manifest URI construction. 
+The Docker registry implementation now correctly handles ECR's support for repository-less image paths.
+
 ### AWS Batch
 * Fixed an issue where job failures before all outputs were written would cause delocalization to fail, preventing the upload of return code, stdout, and stderr files needed for debugging.
 * Split the option to tag resources between AWS Batch jobs vs. EC2 and EBS volumes hardware
diff --git a/dockerHashing/src/main/scala/cromwell/docker/registryv2/DockerRegistryV2Abstract.scala b/dockerHashing/src/main/scala/cromwell/docker/registryv2/DockerRegistryV2Abstract.scala
index 6abb41e6551..97298d463af 100644
--- a/dockerHashing/src/main/scala/cromwell/docker/registryv2/DockerRegistryV2Abstract.scala
+++ b/dockerHashing/src/main/scala/cromwell/docker/registryv2/DockerRegistryV2Abstract.scala
@@ -192,6 +192,14 @@ abstract class DockerRegistryV2Abstract(override val config: DockerRegistryConfi
     */
   protected def serviceName: Option[String] = None
 
+  /**
+   * Returns the repository path to use in manifest and token URIs.
+   * Default behavior adds "library" repository for images without an explicit repository.
+   * Registries can override this for custom behavior (e.g., ECR doesn't need "library").
+   */
+  protected def getRepositoryPath(dockerImageID: DockerImageIdentifier): String =
+    dockerImageID.nameWithDefaultRepository
+
   /**
     * Builds the token URI to be queried based on a DockerImageID
     */
@@ -201,7 +209,7 @@ abstract class DockerRegistryV2Abstract(override val config: DockerRegistryConfi
       scheme = Option(Scheme.https),
       authority = Option(Authority(host = Uri.RegName(authorizationServerHostName(dockerImageID)))),
       path = "/token",
-      query = Query.fromString(s"${service}scope=repository:${dockerImageID.nameWithDefaultRepository}:pull")
+      query = Query.fromString(s"${service}scope=repository:${getRepositoryPath(dockerImageID)}:pull")
     )
   }
 
@@ -233,7 +241,7 @@ abstract class DockerRegistryV2Abstract(override val config: DockerRegistryConfi
     Uri.apply(
       scheme = Option(Scheme.https),
       authority = Option(Authority(host = Uri.RegName(registryHostName(dockerImageID)))),
-      path = s"/v2/${dockerImageID.nameWithDefaultRepository}/manifests/${dockerImageID.reference}"
+      path = s"/v2/${getRepositoryPath(dockerImageID)}/manifests/${dockerImageID.reference}"
     )
 
   /**
diff --git a/dockerHashing/src/main/scala/cromwell/docker/registryv2/flows/aws/AmazonEcrAbstract.scala b/dockerHashing/src/main/scala/cromwell/docker/registryv2/flows/aws/AmazonEcrAbstract.scala
index 4533547ca00..d29f8c7d611 100644
--- a/dockerHashing/src/main/scala/cromwell/docker/registryv2/flows/aws/AmazonEcrAbstract.scala
+++ b/dockerHashing/src/main/scala/cromwell/docker/registryv2/flows/aws/AmazonEcrAbstract.scala
@@ -11,6 +11,13 @@ import org.slf4j.{Logger, LoggerFactory}
 abstract class AmazonEcrAbstract(override val config: DockerRegistryConfig) extends DockerRegistryV2Abstract(config) {
   private val logger: Logger = LoggerFactory.getLogger(this.getClass)
 
+  /**
+   * ECR supports images with no repository (e.g., 123456789012.dkr.ecr.us-east-1.amazonaws.com/example-tool)
+   * so we don't add the default "library" repository prefix
+   */
+  override protected def getRepositoryPath(dockerImageID: DockerImageIdentifier): String =
+    dockerImageID.name
+
   /**
     * Not used as getToken is overridden
     */