Attack Chain

1. Attacker identifies a GoHarbor Harbor instance running version 2.15.0 or below.
2. Attacker accesses the web UI login page of the Harbor instance.
3. Attacker enters the default username (“admin”) and password (“Harbor12345”), as documented in the official GoHarbor documentation.
4. The Harbor instance authenticates the attacker due to the use of default credentials.
5. Attacker gains access to the Harbor web UI with administrator privileges.
6. Attacker can now manage container images, repositories, and users within the Harbor instance.
7. Attacker may pull sensitive images, inject malicious code into existing images, or create new malicious images.
8. The attacker uses the now compromised Harbor instance to distribute malicious container images throughout the organization’s infrastructure, leading to widespread compromise.

Impact

Successful exploitation of this vulnerability allows an attacker to gain complete control over a GoHarbor Harbor instance. This can lead to the compromise of container images, potentially injecting malware into the software supply chain. The impact could range from data exfiltration and service disruption to full system compromise, depending on the privileges associated with the Harbor instance. Given the widespread use of GoHarbor in cloud-native environments, this vulnerability presents a significant risk to numerous organizations.

Recommendation

• Immediately upgrade GoHarbor Harbor instances to a version greater than 2.15.0 to remediate CVE-2026-4404.
• If upgrading is not immediately feasible, change the default “admin” password (“Harbor12345”) to a strong, unique password as outlined in the GoHarbor documentation.
• Deploy the provided Sigma rule to detect login attempts using the default credentials against the Harbor web UI based on webserver logs.
• Regularly review and update credentials for all services and applications to prevent the exploitation of default or hardcoded passwords.