Critical Hardcoded Credentials Flaw in GoHarbor's Harbor Exposes Registries to Attacks

Severity: High (Score: 72.8)

Sources: Kb.Cert, Gbhackers

Summary

GoHarbor's Harbor container registry has a critical vulnerability, CVE-2026-4404, due to hardcoded default credentials that can be exploited by attackers. The default admin password, 'Harbor12345', does not require change upon initial deployment, allowing unauthorized access if left unchanged. This flaw can lead to full administrative control over the Harbor registry, enabling attackers to overwrite or inject malicious container images, which poses a significant risk for supply-chain attacks. Organizations using Harbor are at risk of having sensitive images exfiltrated or losing system integrity through destructive actions like deleting repositories. A patch has been issued to address this vulnerability, and operators are urged to change default credentials immediately. The vulnerability was reported by a user and has been acknowledged in an urgent advisory. The potential impact includes compromised CI/CD pipelines and Kubernetes environments. The vulnerability was published on March 23, 2026. Key Points: • CVE-2026-4404 exposes GoHarbor's Harbor to severe supply-chain attacks. • Default credentials remain unchanged post-deployment, allowing unauthorized access. • A patch has been issued, and immediate action is recommended for operators.

Key Entities

• Supply Chain Attack (attack_type)
• CVE-2026-4404 (cve)
• T1078 - Valid Accounts (mitre_attack)
• T1195 - Supply Chain Compromise (mitre_attack)
• T1567 - Exfiltration Over Web Service (mitre_attack)
• Harbor (platform)
• Harbor Container Registry (platform)
• Kubernetes (platform)