CVE-2025-30086

Name of the Vulnerable Software and Affected Versions CNCF Harbor versions 2.12.0 through 2.12.3 CNCF Harbor versions 2.13.0 through 2.13.0

Description An ORM leak exists in the /api/v2.0/users endpoint, allowing administrators to potentially disclose users' password hash and salt values. The q URL parameter enables filtering users by any column, and the filter password=~ can be abused to leak a user's password hash character by character. An attacker with administrator access could exploit this to leak sensitive information stored in the Harbor database. All endpoints that support the q URL parameter are vulnerable to this ORM leak attack.

Recommendations For CNCF Harbor versions 2.12.0 through 2.12.3, update to version 2.12.4 or later. For CNCF Harbor versions 2.13.0 through 2.13.0, update to version 2.13.1 or later.