User permission validation failure and disclosure of P2P preheat execution logs
Description
Harbor fails to validate the user permissions when updating p2p preheat policies. By sending a request to update a p2p preheat policy with an id that belongs to a project that the currently authenticated user doesn't have access to, the attacker could modify p2p preheat policies configured in other projects.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Harbor fails to validate user permissions when updating p2p preheat policies, allowing authenticated attackers to modify policies in projects they do not have access to.
Vulnerability
Overview
CVE-2022-31668 is an authorization bypass vulnerability in the Harbor container registry platform. The software fails to validate whether the currently authenticated user has the required permissions for the project when updating a p2p preheat policy via the PUT /projects/{project_name}/preheat/policies/{preheat_policy_name} API endpoint. By supplying a policy ID that belongs to a project the attacker does not have access to, the server processes the request without proper authorization checks [1][3][4].
Exploitation
Prerequisites
An attacker must have a valid authenticated session with the Harbor API. No additional privileges beyond standard user access are required to exploit this flaw. The attack can be performed remotely over the network by crafting a malicious update request targeting a p2p preheat policy in a different project [1][4].
Impact
Successful exploitation allows the attacker to modify p2p preheat policies that are configured in other projects. This can lead to unauthorized changes in how container images are pre-warmed across the registry, potentially affecting the availability and integrity of image distribution workflows within the Harbor instance [1][3][4].
Mitigation
Harbor has fixed this vulnerability in version 2.5.3 and later. Users are advised to upgrade as soon as possible. No workarounds are available for versions prior to the fix [4].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/goharbor/harborGo | >= 2.0.0, < 2.4.3 | 2.4.3 |
github.com/goharbor/harborGo | >= 2.5.0, < 2.5.2 | 2.5.2 |
github.com/goharbor/harbor/srcGo | < 0.0.0-20220630175814-b4ef1db | 0.0.0-20220630175814-b4ef1db |
Affected products
4- Harbor/Harbordescription
- osv-coords3 versions
>= 2.0.0, < 2.4.3+ 2 more
- (no CPE)range: >= 2.0.0, < 2.4.3
- (no CPE)range: >= 2.0.0, < 2.4.3
- (no CPE)range: < 0.0.0-20220630175814-b4ef1db
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4News mentions
0No linked articles in our index yet.