CVE-2020-13788
Description
Harbor prior to 2.0.1 allows SSRF with this limitation: an attacker with the ability to edit projects can scan ports of hosts accessible on the Harbor server's intranet.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Harbor prior to 2.0.1 allows limited SSRF via Test Endpoint API, enabling project administrators to scan internal network ports.
Harbor's Test Endpoint API, used to verify webhook endpoints, is vulnerable to a limited Server-Side Request Forgery (SSRF) [3]. A project administrator can abuse this API to send requests to arbitrary hosts on the Harbor server's internal network, effectively performing TCP port scanning [2].
An attacker must have project administrator privileges to access the Test Endpoint functionality. Harbor system administrators can control who becomes project admin, and can restrict project creation to administrators only [3]. The attack is limited to port scanning and does not allow data exfiltration or injection.
Successful exploitation allows an attacker to identify open TCP ports on internal hosts reachable by Harbor core services, potentially mapping the internal network and discovering vulnerable services [3].
The issue is fixed in Harbor version 2.0.1 [1][3]. Users should upgrade immediately. As a workaround, Harbor administrators can restrict project creation and manage project admin roles carefully [3].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/goharbor/harborGo | >= 1.8.0, < 2.0.1 | 2.0.1 |
Affected products
3- Harbor/Harbordescription
- osv-coords2 versions
< 2.0.1+ 1 more
- (no CPE)range: < 2.0.1
- (no CPE)range: >= 1.8.0, < 2.0.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-33p6-fx42-7rf5ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-13788ghsaADVISORY
- github.com/goharbor/harbor/security/advisories/GHSA-33p6-fx42-7rf5ghsaWEB
- www.soluble.ai/blog/harbor-ssrf-cve-2020-13788ghsax_refsource_CONFIRMWEB
- www.youtube.com/watchghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.