Harbor fails to validate the user permissions when updating tag immutability policies
Description
Harbor fails to validate the user permissions when updating tag immutability policies.
By sending a request to update a tag immutability policy with an id that belongs to a project that the currently authenticated user doesn’t have access to, the attacker could modify tag immutability policies configured in other projects.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Harbor fails to validate user permissions when updating tag immutability policies, allowing attackers to modify policies in projects they cannot access.
Harbor, an open-source cloud native registry, fails to validate user permissions when updating tag immutability policies. The vulnerability exists in the API endpoint PUT /projects/{project_name_or_id}/immutabletagrules/{immutable_rule_id}, which does not check whether the authenticated user has access to the project associated with the immutable rule ID [1][3].
An attacker with any valid user account can exploit this by sending a request to update a tag immutability policy using an immutable_rule_id that belongs to a project they do not have access to. The server processes the request without verifying permissions, allowing the attacker to modify policies in arbitrary projects [1][3].
The impact is that an attacker can alter tag immutability policies in other projects, potentially bypassing retention controls and compromising the integrity of image management. This could lead to unauthorized changes in which tags are protected or allowed to be overwritten [1][3].
This issue is fixed in Harbor v2.5.2 and later. Users should upgrade to the latest version as soon as possible, as no workarounds are available [3].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/goharbor/harborGo | >= 1.0.0, < 1.10.13 | 1.10.13 |
github.com/goharbor/harborGo | >= 2.0.0, < 2.4.3 | 2.4.3 |
github.com/goharbor/harborGo | >= 2.5.0, < 2.5.2 | 2.5.2 |
Affected products
3- Harbor/Harbordescription
- osv-coords2 versions
>= 2.0.0, < 2.4.3+ 1 more
- (no CPE)range: >= 2.0.0, < 2.4.3
- (no CPE)range: >= 1.0.0, < 1.10.13
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3News mentions
0No linked articles in our index yet.