### Impact
Harbor fails to validate the user permissions when updating a robot account that
belongs to a project that the authenticated user doesnt have access to. API call:
PUT /robots/{robot_id}
By sending a request that attempts to update a robot account, and specifying a robot
account id and robot account name that belongs to a different project that the user
doesnt have access to, it was possible to revoke the robot account permissions.
### Patches
This and similar issues are fixed in Harbor v2.5.2 and later. Please upgrade as soon as possible.
### Workarounds
There are no workarounds available.
### For more information
If you have any questions or comments about this advisory:
* Open an issue in [the Harbor GitHub repository](https://github.com/goharbor/harbor)
### Credits
Thanks to [Gal Goldstein](https://www.linkedin.com/in/gal-goldshtein/) and [Daniel Abeles](https://www.linkedin.com/in/daniel-abeles/) from [Oxeye Security](https://www.oxeye.io/) for reporting this issue.Read More