{"document":{"acknowledgments":[{"urls":["https://kb.cert.org/vuls/id/577436#acknowledgements"]}],"category":"CERT/CC Vulnerability Note","csaf_version":"2.0","notes":[{"category":"summary","text":"### Overview\r\nGoHarbor's Harbor default admin password presents a security risk because it does not require change upon initial deployment.\r\n\r\n### Description\r\nGoHarbor's Harbor is an open-source OCI-compliant container registry project that stores, signs, and manages container images. Harbor initializes with a default administrator account (`admin`) and password (`Harbor12345`), configured through the `harbor_admin_password` parameter in the `harbor.yml`. \r\nWhile operators are expected to change these credentials during or after deployment, Harbor does not enforce a password change during setup or upon first login. If the default credentials remain unchanged, a remote attacker can authenticate using the publicly known password to gain full administrative access. \r\n\r\n### Impact\r\nAn attacker who gains administrative access can fully compromise the Harbor registry and all managed artifacts. This includes the ability to overwrite or inject malicious container images, enabling supply-chain attacks that may lead to remote code execution in downstream continuous integration and continuous development (CI/CD) pipelines and Kubernetes environments. The attacker can establish persistent access by creating new users, robot accounts, or API tokens, and can weaken or disable security controls such as vulnerability scanning, signature enforcement, and role-based access controls. \r\nAdditionally, sensitive images can be exfiltrated by configuring replication to external registries or downloading artifacts directly. Administrative privileges also allow destructive actions such as deleting repositories or corrupting artifacts, resulting in service disruption and loss of system integrity.\r\n\r\n### Solution\r\nOperators should change the default administrative password either before or immediately after   deployment. This can be done through the Harbor web interface or by specifying a unique value for `harbor_admin_password` in `harbor.yml` during installation. \r\nA fix has been proposed to address the hardcoded default password by removing or randomizing default credentials during installation. See the Harbor pull request:\r\nhttps://github.com/goharbor/harbor/pull/19188https://github.com/goharbor/harbor/pull/19188\r\n\r\n### Acknowledgements\r\nThanks to notnotnotveg (notnotnotveg@gmail.com) who reported this vulnerability. This document was written by Michael Bragg.","title":"Summary"},{"category":"legal_disclaimer","text":"THIS DOCUMENT IS PROVIDED ON AN 'AS IS' BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. ","title":"Legal Disclaimer"},{"category":"other","text":"CERT/CC Vulnerability Note is a limited advisory. It primarily identifies vendors impacted by the advisory and not specific products. We only support \"known_affected\" and \"known_not_affected\" status. Please consult the vendor's statements and advisory URL if provided by the vendor for more details ","title":"Limitations of Advisory"}],"publisher":{"category":"coordinator","contact_details":"Email: cert@cert.org, Phone: +1412 268 5800","issuing_authority":"CERT/CC under DHS/CISA https://www.cisa.gov/cybersecurity also see https://kb.cert.org/ ","name":"CERT/CC","namespace":"https://kb.cert.org/"},"references":[{"url":"https://certcc.github.io/certcc_disclosure_policy","summary":"CERT/CC vulnerability disclosure policy"},{"summary":"CERT/CC document released","category":"self","url":"https://kb.cert.org/vuls/id/577436"},{"url":"https://goharbor.io/docs/1.10/install-config/run-installer-script/#:~:text=If%20you%20did%20not%20change%20them%20in%20harbor.yml,%20the%20default%20administrator%20username%20and%20password%20are%20admin%20and%20Harbor12345","summary":"https://goharbor.io/docs/1.10/install-config/run-installer-script/#:~:text=If%20you%20did%20not%20change%20them%20in%20harbor.yml,%20the%20default%20administrator%20username%20and%20password%20are%20admin%20and%20Harbor12345"},{"url":"https://github.com/goharbor/harbor/issues/1937","summary":"https://github.com/goharbor/harbor/issues/1937"},{"url":"https://cwe.mitre.org/data/definitions/1393.html","summary":"https://cwe.mitre.org/data/definitions/1393.html"},{"url":"https://github.com/goharbor/harbor/pull/22751","summary":"https://github.com/goharbor/harbor/pull/22751"}],"title":"Hard coded credentials vulnerability in GoHarbor's Harbor","tracking":{"current_release_date":"2026-03-24T14:11:03+00:00","generator":{"engine":{"name":"VINCE","version":"3.0.35"}},"id":"VU#577436","initial_release_date":"2026-03-24 14:11:03.512526+00:00","revision_history":[{"date":"2026-03-24T14:11:03+00:00","number":"1.20260324141103.1","summary":"Released on 2026-03-24T14:11:03+00:00"}],"status":"final","version":"1.20260324141103.1"}},"vulnerabilities":[{"title":"Use of hard coded credentials in GoHarbor Harbor version 2.","notes":[{"category":"summary","text":"Use of hard coded credentials in GoHarbor Harbor version 2.15.0 and below, allows attackers to use the default password and gain access to the web UI."}],"cve":"CVE-2026-4404","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#577436"}],"product_status":{"known_not_affected":["CSAFPID-9e322efa-39b1-11f1-8422-122e2785dc9f"]}}],"product_tree":{"branches":[{"category":"vendor","name":"Harbor","product":{"name":"Harbor Products","product_id":"CSAFPID-9e322efa-39b1-11f1-8422-122e2785dc9f"}}]}}