{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/goharbor/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["vulnerability","hardcoded-credentials","goharbor"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eGoHarbor Harbor, a popular open-source cloud native registry, is susceptible to a critical vulnerability (CVE-2026-4404) in versions 2.15.0 and below. This flaw stems from the use of hardcoded credentials, specifically a default password, which, if unchanged, allows unauthorized access to the web UI. An attacker exploiting this vulnerability can bypass authentication and potentially gain full control over the Harbor instance. This poses a significant risk to organizations using affected Harbor versions, as it can lead to data breaches, container image tampering, and other malicious activities. The vulnerability was reported in March 2026, and defenders should prioritize upgrading or mitigating affected instances.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a GoHarbor Harbor instance running version 2.15.0 or below.\u003c/li\u003e\n\u003cli\u003eAttacker accesses the web UI login page of the Harbor instance.\u003c/li\u003e\n\u003cli\u003eAttacker enters the default username (\u0026ldquo;admin\u0026rdquo;) and password (\u0026ldquo;Harbor12345\u0026rdquo;), as documented in the official GoHarbor documentation.\u003c/li\u003e\n\u003cli\u003eThe Harbor instance authenticates the attacker due to the use of default credentials.\u003c/li\u003e\n\u003cli\u003eAttacker gains access to the Harbor web UI with administrator privileges.\u003c/li\u003e\n\u003cli\u003eAttacker can now manage container images, repositories, and users within the Harbor instance.\u003c/li\u003e\n\u003cli\u003eAttacker may pull sensitive images, inject malicious code into existing images, or create new malicious images.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the now compromised Harbor instance to distribute malicious container images throughout the organization\u0026rsquo;s infrastructure, leading to widespread compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to gain complete control over a GoHarbor Harbor instance. This can lead to the compromise of container images, potentially injecting malware into the software supply chain. The impact could range from data exfiltration and service disruption to full system compromise, depending on the privileges associated with the Harbor instance. Given the widespread use of GoHarbor in cloud-native environments, this vulnerability presents a significant risk to numerous organizations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately upgrade GoHarbor Harbor instances to a version greater than 2.15.0 to remediate CVE-2026-4404.\u003c/li\u003e\n\u003cli\u003eIf upgrading is not immediately feasible, change the default \u0026ldquo;admin\u0026rdquo; password (\u0026ldquo;Harbor12345\u0026rdquo;) to a strong, unique password as outlined in the GoHarbor documentation.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to detect login attempts using the default credentials against the Harbor web UI based on webserver logs.\u003c/li\u003e\n\u003cli\u003eRegularly review and update credentials for all services and applications to prevent the exploitation of default or hardcoded passwords.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-25T12:00:00Z","date_published":"2026-03-25T12:00:00Z","id":"/briefs/2026-03-goharbor-hardcoded-creds/","summary":"GoHarbor Harbor version 2.15.0 and below is vulnerable to the use of hard-coded credentials, allowing an attacker to use the default password and gain unauthorized access to the web UI.","title":"GoHarbor Harbor v2.15.0 and Below Vulnerable to Hardcoded Credentials","url":"https://feed.craftedsignal.io/briefs/2026-03-goharbor-hardcoded-creds/"}],"language":"en","title":"CraftedSignal Threat Feed — Goharbor","version":"https://jsonfeed.org/version/1.1"}