Moderate severityNVD Advisory· Published Nov 14, 2024· Updated Nov 14, 2024

Harbor fails to validate the user permissions when updating a robot account

CVE-2022-31667

Description

Harbor fails to validate the user permissions when updating a robot account that belongs to a project that the authenticated user doesn’t have access to.

By sending a request that attempts to update a robot account, and specifying a robot account id and robot account name that belongs to a different project that the user doesn’t have access to, it was possible to revoke the robot account permissions.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

An authenticated Harbor user can revoke robot account permissions for a project they do not belong to due to missing permission validation.

Vulnerability

Overview Harbor, the cloud-native container registry, fails to validate user permissions when updating a robot account that belongs to a project the authenticated user does not have access to [1][3]. The flaw resides in the API endpoint PUT /robots/{robot_id}. By specifying a robot_id and robot_name associated with a different project, an attacker can revoke that robot account's permissions even without proper project membership or rights [1][3].

Exploitation

Requirements An attacker must be authenticated to the Harbor instance. No special privileges or knowledge of the target project's credentials are needed beyond the ability to send a crafted API request [1][3]. The attacker only needs to know or guess the robot_id and the corresponding robot account name for a project they are not authorized to access [1][3].

Impact

A successful attack allows the attacker to revoke the permissions of a robot account belonging to any project in the Harbor instance [1][3]. This can disrupt automated CI/CD pipelines or any other processes that depend on that robot account for image push/pull operations, effectively causing a denial of service for the affected project's workflows.

Mitigation

Harbor has fixed this issue in version 2.5.2 and later [3]. Users should upgrade to the latest release immediately. No official workarounds are available [3]. The vulnerability was reported by Gal Goldstein and Daniel Abeles from Oxeye Security [3].

References

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
github.com/goharbor/harborGo	>= 1.0.0, < 1.10.13	1.10.13
github.com/goharbor/harborGo	>= 2.0.0, < 2.4.3	2.4.3
github.com/goharbor/harborGo	>= 2.5.0, < 2.5.2	2.5.2

Affected products

Harbor/Harbordescription
osv-coords2 versions
pkg:bitnami/harbor pkg:golang/github.com/goharbor/harbor
>= 2.0.0, < 2.4.3+ 1 more
- (no CPE)range: >= 2.0.0, < 2.4.3
- (no CPE)range: >= 1.0.0, < 1.10.13

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-xx9w-464f-7h6fghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2022-31667ghsaADVISORY
github.com/goharbor/harbor/security/advisories/GHSA-xx9w-464f-7h6fghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000