Description
CNCF Harbor 2.13.x before 2.13.1 and 2.12.x before 2.12.4 allows information disclosure by administrators who can exploit an ORM Leak present in the /api/v2.0/users endpoint to leak users' password hash and salt values. The q URL parameter allows a user to filter users by any column, and filter password=~ could be abused to leak out a user's password hash character by character. An attacker with administrator access could exploit this to leak highly sensitive information stored in the Harbor database. All endpoints that support the q URL parameter are vulnerable to this ORM leak attack.
References (4)
Core 4
Core References
Various Sources
https://github.com/goharbor/harbor/releases
Various Sources
https://goharbor.io/blog/
Various Sources
https://www.elttam.com/blog/plormbing-your-django-orm/
Scores
CVSS v3
4.9
EPSS
0.0057
EPSS Percentile
42.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-200
Status
published
Products (1)
goharbor/harbor
2.13.0 - 2.13.1Go
Published
Jul 25, 2025
Tracked Since
Feb 18, 2026