Non-critical severity vulnerability in Harbor (CVE-2020-13794) #security

Alex Xu

Attention Harbor users,

A new Harbor security advisory has been published at

The vulnerability has already been fixed in the newly released v2.1.0 and v2.0.3.  Please upgrade to these versions as soon as possible.   If you have any concerns about this timeline, please reach out to us.


Dutch Government Security Team has discovered an enumeration vulnerability that lists all users with their respective user_IDs when doing authenticated API calls (basic auth) to "/api/users/search?username=_"

CURL example:

curl -X GET "" -H "accept: application/json" --user REDACTED@...

The vulnerability was immediately fixed by the Harbor team and all supported versions were patched.

Known Attack Vectors

Successful exploitation of this issue will lead to enumeration of users and their IDs


This is already patched in the v2.1.0 released today but we will also make the fix available in the upcoming v2.0.3

For more information

View our security policy at

If you have any questions or comments about this advisory, please contact cncf-harbor-security@...