CVE-2019-19023
Description
Cloud Native Computing Foundation Harbor prior to 1.8.6 and 1.9.3 has a Privilege Escalation Vulnerability in the VMware Harbor Container Registry for the Pivotal Platform.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CVE-2019-19023 allows a normal user to gain admin privileges in Harbor by exploiting an API endpoint lacking proper permission checks.
Vulnerability
Summary
CVE-2019-19023 is a privilege escalation vulnerability in Cloud Native Computing Foundation Harbor, versions prior to 1.8.6 and 1.9.3. The root cause is that the Harbor API did not enforce proper permissions and scope on the request to modify a user's email address, allowing a normal user to make an unauthorized API call to change the email of a specific user [1][3].
Exploitation
An attacker with standard user credentials can directly call the vulnerable API endpoint to modify the email address of another user (e.g., an administrator). Once the email is changed, the attacker can use the password reset functionality for that modified email address to set a new password and gain full access to the target account [3][4]. No additional authentication or special privileges are required beyond having a valid user account in Harbor.
Impact
Successful exploitation results in full administrative control over the Harbor instance. The attacker can then manage container images, projects, and other users, potentially leading to data breach, supply chain compromise, or further lateral movement within the environment [4]. The vulnerability is rated as Critical severity.
Mitigation
The vulnerability has been patched in Harbor versions 1.8.6 and 1.9.3. Users running affected versions should upgrade immediately. No workaround exists for this issue [4]. The vulnerability is not known to be listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of publication.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/goharbor/harborGo | >= 1.7.0, < 1.8.6 | 1.8.6 |
github.com/goharbor/harborGo | >= 1.9.0, < 1.9.3 | 1.9.3 |
Affected products
2- Cloud Native Computing Foundation/Harbordescription
Patches
2730d6d28a567Merge pull request #9893 from stonezdj/remove_tedious_msg_190
1 file changed · +1 −1
src/common/config/manager.go+1 −1 modified@@ -189,7 +189,7 @@ func (c *CfgManager) Save() error { func (c *CfgManager) Get(key string) *metadata.ConfigureValue { configValue, err := c.store.Get(key) if err != nil { - log.Errorf("failed to get key %v, error: %v", key, err) + log.Debugf("failed to get key %v, error: %v", key, err) configValue = &metadata.ConfigureValue{} } return configValue
5d2c4c2df6bbMerge pull request #9890 from reasonerjt/bump-up-clair-1.8.0
1 file changed · +1 −1
Makefile+1 −1 modified@@ -102,7 +102,7 @@ PREPARE_VERSION_NAME=versions REGISTRYVERSION=v2.7.1-patch-2819 NGINXVERSION=$(VERSIONTAG) NOTARYVERSION=v0.6.1 -CLAIRVERSION=v2.0.8 +CLAIRVERSION=v2.1.0 CLAIRDBVERSION=$(VERSIONTAG) MIGRATORVERSION=$(VERSIONTAG) REDISVERSION=$(VERSIONTAG)
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-q6cj-6jvq-jwmhghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-19023ghsaADVISORY
- github.com/goharbor/harbor/security/advisoriesghsax_refsource_MISCWEB
- github.com/goharbor/harbor/security/advisories/GHSA-3868-7c5x-4827ghsaWEB
- tanzu.vmware.com/security/cve-2019-19023ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.