Use of hard coded credentials in GoHarbor Harbor

Vulnerability

Overview

CVE-2026-4404 describes the use of hard-coded credentials in GoHarbor's Harbor, an open-source container registry, up to version 2.15.0. The default administrator account is created with a well-known password (Harbor12345) that is set via the harbor_admin_password configuration parameter in harbor.yml. Because Harbor does not enforce a password change during initial setup or first login, these credentials remain active if not manually changed by the operator [1][4].

Exploitation

An attacker with network access to the Harbor web UI can authenticate using the default username admin and password Harbor12345. No prior authentication or special privileges are required. The attack surface is any publicly exposed or internally accessible Harbor instance that has not had its default credentials updated [1][4].

Impact

Successful exploitation grants full administrative control over the Harbor registry. An attacker can upload, modify, or delete container images, potentially injecting malicious artifacts into downstream CI/CD pipelines and Kubernetes environments. They can also create new users or robot accounts for persistent access, disable security features like vulnerability scanning and signature enforcement, exfiltrate sensitive images via replication or direct download, and corrupt or remove data, leading to service disruption and supply-chain compromise [4].

Mitigation

Harbor does not force a password change upon deployment. The recommended mitigation is to change the default administrator password immediately after installation, either by editing harbor.yml before startup or via the web UI after deployment. Organizations should also consider enforcing password rotation policies and monitoring for default credential usage. As of the publication date, no patch is required; the fix is operational best practice [3][4].