Critical severity vulnerability in Harbor (CVE-2019-16097) #security


Attention Harbor Users,


A new Harbor security advisory has been published at for CVE

The internal testing team of Harbor has identified a critical vulnerability. The vulnerability allows non-admin users to create Harbor admin accounts by sending Harbor a malicious request. The vulnerability was quickly fixed by the Harbor team and backported to all supported versions.


Details: core/api/user.go in Harbor 1.7.0 through 1.8.2 allows non-admin users to create admin accounts via the POST /api/users API.


How to tell if your deployment is affected:

* You use database authentication.


* You have self-registration enabled.


If your deployment uses Harbor, updates to 1.7.6/1.8.3 should be taken immediately.

Affected Harbor versions are:

* 1.7.x prior to 1.7.6 (CVE is fixed in 1.7.6)

* 1.8.x prior to 1.8.3 (CVE is fixed in 1.8.3)


Please update to the latest release of Harbor that includes a fix for this CVE.

  1. 1.9 []
  2. 1.8.3 []
  3. 1.7.6 []


Michael Michael

Core Maintainer, Harbor



Join to automatically receive all group messages.