CVE-2019-19026
Description
Cloud Native Computing Foundation Harbor prior to 1.8.6 and 1.9.3 allows SQL Injection via project quotas in the VMware Harbor Container Registry for the Pivotal Platform.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Harbor prior to 1.8.6 and 1.9.3 contains a SQL injection vulnerability in the project quotas API, allowing authenticated administrators to extract sensitive data via the sort parameter.
Vulnerability
Overview
CVE-2019-19026 is a SQL injection vulnerability in the project quotas section of the Harbor API, affecting versions prior to 1.8.6 and 1.9.3 [1]. The root cause is insufficient sanitization of user-supplied input passed to the sort GET parameter, which is directly concatenated into SQL queries without proper escaping or parameterization [3].
Exploitation
An attacker must be an authenticated administrator to exploit this flaw. By sending a specially crafted SQL payload through the sort parameter, the attacker can inject arbitrary SQL commands into the database query [4]. No other authentication or network position is required beyond valid admin credentials.
Impact
Successful exploitation allows the attacker to extract sensitive information from the underlying database, including potentially credentials, tokens, or other confidential data stored by Harbor [3][4]. The vulnerability does not enable remote code execution or privilege escalation beyond the database access level.
Mitigation
The Harbor team patched this vulnerability in versions 1.8.6 and 1.9.3 [4]. There is no known workaround; administrators must upgrade to a fixed version immediately. The issue was responsibly reported by Cure53 [3].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/goharbor/harborGo | >= 1.7.0, < 1.8.6 | 1.8.6 |
github.com/goharbor/harborGo | >= 1.9.0, < 1.9.3 | 1.9.3 |
Affected products
2- Cloud Native Computing Foundation/Harbordescription
Patches
2730d6d28a567Merge pull request #9893 from stonezdj/remove_tedious_msg_190
1 file changed · +1 −1
src/common/config/manager.go+1 −1 modified@@ -189,7 +189,7 @@ func (c *CfgManager) Save() error { func (c *CfgManager) Get(key string) *metadata.ConfigureValue { configValue, err := c.store.Get(key) if err != nil { - log.Errorf("failed to get key %v, error: %v", key, err) + log.Debugf("failed to get key %v, error: %v", key, err) configValue = &metadata.ConfigureValue{} } return configValue
5d2c4c2df6bbMerge pull request #9890 from reasonerjt/bump-up-clair-1.8.0
1 file changed · +1 −1
Makefile+1 −1 modified@@ -102,7 +102,7 @@ PREPARE_VERSION_NAME=versions REGISTRYVERSION=v2.7.1-patch-2819 NGINXVERSION=$(VERSIONTAG) NOTARYVERSION=v0.6.1 -CLAIRVERSION=v2.0.8 +CLAIRVERSION=v2.1.0 CLAIRDBVERSION=$(VERSIONTAG) MIGRATORVERSION=$(VERSIONTAG) REDISVERSION=$(VERSIONTAG)
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-w4x5-jqq4-qc8xghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-19026ghsaADVISORY
- github.com/goharbor/harbor/security/advisoriesghsax_refsource_MISCWEB
- github.com/goharbor/harbor/security/advisories/GHSA-rh89-vvrg-fg64ghsax_refsource_MISCWEB
- tanzu.vmware.com/security/cve-2019-19026ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.