CVE-2019-16097

MEDIUM NUCLEI

Harbor 1.7.0-1.8.2 - Privilege Escalation

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 6 public exploits for CVE-2019-16097. PoCs published by evilAdan0s, rockmelodies, luckybool1020. A Nuclei detection template is also available.

AI-analyzed exploit summary The PoC exploits CVE-2019-16097 in Harbor by sending a crafted JSON payload to the `/api/users` endpoint, allowing an attacker to create an admin account. The script checks for a 201 status code to confirm vulnerability.

Description

core/api/user.go in Harbor 1.7.0 through 1.8.2 allows non-admin users to create admin accounts via the POST /api/users API, when Harbor is setup with DB as authentication backend and allow user to do self-registration. Fixed version: v1.7.6 v1.8.3. v.1.9.0. Workaround without applying the fix: configure Harbor to use non-DB authentication backend such as LDAP.

Exploits (6)

nomisec WORKING POC 23 stars
by evilAdan0s · poc
https://github.com/evilAdan0s/CVE-2019-16097

The PoC exploits CVE-2019-16097 in Harbor by sending a crafted JSON payload to the `/api/users` endpoint, allowing an attacker to create an admin account. The script checks for a 201 status code to confirm vulnerability.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: Harbor versions 1.7.0-1.8.2
No auth needed
Prerequisites: Network access to the Harbor API endpoint
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 5 stars
by rockmelodies · poc
https://github.com/rockmelodies/CVE-2019-16097-batch

The repository contains a functional Python script that exploits CVE-2019-16097, an arbitrary admin registration vulnerability in Harbor. The script sends a crafted POST request to create an admin account without authentication.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: Harbor versions 1.7.0 to 1.8.2
No auth needed
Prerequisites: Target Harbor instance accessible via HTTP/HTTPS
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 2 stars
by luckybool1020 · poc
https://github.com/luckybool1020/CVE-2019-16097

This repository contains a functional exploit for CVE-2019-16097, an unauthenticated privilege escalation vulnerability in Harbor. The PoC leverages the Harbor API to create an admin user without authentication, demonstrating the vulnerability's impact.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: Harbor (version not specified)
No auth needed
Prerequisites: Network access to the Harbor API endpoint
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 1 stars
by dacade · poc
https://github.com/dacade/cve-2019-16097

This repository contains a functional exploit for CVE-2019-16097, which allows unauthenticated user creation via a POST request to the `/api/users` endpoint. The script automates the process by reading target URLs from a file and writing results to an output file.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: Unknown (likely a web application with vulnerable API endpoint)
No auth needed
Prerequisites: List of target URLs in `urls.txt`
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC
by theLSA · poc
https://github.com/theLSA/harbor-give-me-admin

This repository contains a functional exploit for CVE-2019-16097, which allows an attacker to add an admin user in Harbor by sending a crafted POST request to the `/api/users` endpoint with the parameter `"has_admin_role":true`. The script supports both single-target and batch exploitation.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: Harbor (versions affected by CVE-2019-16097)
No auth needed
Prerequisites: Network access to the Harbor instance · Harbor registration endpoint exposed
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC
by ianxtianxt · poc
https://github.com/ianxtianxt/CVE-2019-16097

The repository contains a functional Python script that exploits CVE-2019-16097, an arbitrary admin registration vulnerability in Harbor. The script sends a crafted POST request to create an admin account without authentication.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: Harbor 1.7.0 to 1.8.2
No auth needed
Prerequisites: Target Harbor instance running vulnerable version · Network access to the Harbor API endpoint
devstral-2 · analyzed Feb 18, 2026 Full analysis →

Nuclei Templates (1)

Harbor <=1.82.0 - Privilege Escalation
MEDIUMby pikpikcu
Shodan: http.favicon.hash:657337228
FOFA: icon_hash=657337228

References (6)

Core 6

Scores

CVSS v3 6.5
EPSS 0.9358
EPSS Percentile 99.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Details

CWE
CWE-862
Status published
Products (11)
goharbor/harbor 1.7.0 - 1.9.0-rc1Go
linuxfoundation/harbor 1.7.0 (3 CPE variants)
linuxfoundation/harbor 1.7.1
linuxfoundation/harbor 1.7.2
linuxfoundation/harbor 1.7.3
linuxfoundation/harbor 1.7.4
linuxfoundation/harbor 1.7.5
linuxfoundation/harbor 1.8.0 (3 CPE variants)
linuxfoundation/harbor 1.8.1
linuxfoundation/harbor 1.8.2 (3 CPE variants)
... and 1 more
Published Sep 08, 2019
Tracked Since Feb 18, 2026