Description
Use of hard coded credentials in GoHarbor Harbor version 2.15.0 and below, allows attackers to use the default password and gain access to the web UI.
Published: 2026-03-23
Score: 9.4 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized administrative access via default credentials
Action: Immediate patch
AI Analysis

Impact

Harbor contains hard‑coded default administrator credentials that are deployed unchanged when the product is installed. An attacker who can reach the web interface can use the username admin and the password Harbor12345 to authenticate as an administrator, gaining full control over the registry, including the capability to upload, delete, or modify container images and to alter configuration settings.

Affected Systems

The flaw affects Harbor 2.15.0 and all earlier releases. Any deployment that has not been updated beyond 2.15.0 and that has not configured a custom administrator password is at risk. This includes installations of Harbor deployed from the open‑source project or from Harbor Inc.; the vulnerability is product‑wide regardless of hosting environment.

Risk and Exploitability

The CVSS score of 9.4 classifies the issue as critical. The exploit requires only network access to the Harbor UI and no special configuration or privilege escalation. The absence of a KEV listing does not reduce the risk, as the credentials are trivial to guess and the vulnerability is well documented. An attacker who gains administrative access can compromise the integrity and confidentiality of all container artifacts in the registry.

Generated by OpenCVE AI on March 23, 2026 at 17:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Harbor to a version where the hard‑coded credentials are removed (e.g., 2.15.1 or later).
  • If upgrading is not immediately possible, modify the admin password in the harbor.yml configuration file or through the web UI, and enforce the change to a strong password.
  • After changing the credential, verify that the default admin credentials no longer authenticate successfully.
  • Restrict network access to the Harbor UI to only trusted hosts or internal network segments, and enable multi‑factor authentication if available.

Generated by OpenCVE AI on March 23, 2026 at 17:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-hj7x-hmf2-hc2p Harbor allows the use of the default password for web UI login
History

Tue, 24 Mar 2026 16:30:00 +0000

Type Values Removed Values Added
References

Tue, 24 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Goharbor
Goharbor harbor
Vendors & Products Goharbor
Goharbor harbor

Mon, 23 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1393
CWE-798
Metrics cvssV3_1

{'score': 9.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Description Use of hard coded credentials in GoHarbor Harbor version 2.15.0 and below, allows attackers to use the default password and gain access to the web UI.
Title Use of hard coded credentials in GoHarbor Harbor
References

Subscriptions

Goharbor Harbor
cve-icon MITRE

Status: PUBLISHED

Assigner: certcc

Published:

Updated: 2026-03-24T15:25:10.390Z

Reserved: 2026-03-18T19:43:57.063Z

Link: CVE-2026-4404

cve-icon Vulnrichment

Updated: 2026-03-24T15:25:10.390Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-23T15:16:35.403

Modified: 2026-03-24T16:16:36.507

Link: CVE-2026-4404

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T21:27:58Z

Weaknesses