Critical severity vulnerability in Harbor (CVE-2019-16919) #security

Michael Michael <michmike@...>

Attention Harbor users.

A new Harbor security advisory has been published at


The internal Harbor team has identified a Broken Access Control critical vulnerability. The vulnerability allows project administrators to use the Harbor API to create a robot account with unauthorized push and/or pull access permissions to a project they don't have access or control for. The Harbor API did not enforce the proper project permissions and project scope on the API request to create a new robot account. The vulnerability was immediately fixed by the Harbor team and all supported versions were patched.

Known Attack Vectors

A malicious actor with administrative access to a project may be able to create a robot account inside of an adjacent project via the Harbor API. Successful exploitation of this issue may lead to unauthorized access to push/pull/modify images in the target adjacent project.


If your product uses the affected releases of Harbor, update to version 1.8.4 and 1.9.1 to patch this issue immediately.


There is no workaround for this issue

For more information

If you have any questions or comments about this advisory, contact cncf-harbor-security@...


Return Receipt

Your [harbor-users] Critical severity vulnerability in Harbor
document: (CVE-2019-16919) #security

was ray_wu@...

at: 10/17/2019 10:38:20 AM