GoHarbor Harbor Registry Vulnerable to Full System Compromise via Default Credentials
Take action: If you're running GoHarbor Harbor this is urgent: Immediately change the default admin password (admin / Harbor12345). This is especially critical if your instance is exposed to the internet. For any new deployments, set unique credentials in the harbor.yml file before installation, and monitor admin logs for any unauthorized access or unexpected changes. If possible, don't expose your GoHarbor to the internet.
Learn More
GoHarbor's Harbor container registry contains a critical security vulnerability involving hardcoded default credentials.
The flaw is tracked as CVE-2026-4404 (CVSS score 9.4), and alloes attackers to gain full administrative control over the registry. Harbor sets a default administrator username and password during installation. These credentials, specifically admin and Harbor12345, are stored in the harbor.yml configuration file and remain active unless an operator manually changes them. Because the platform does not force a password reset on first login, many internet-exposed instances remain accessible via these publicly known credentials. Attackers use automated scanners to find Harbor instances that still use these default settings.
Attackers with administrative access can perform the following actions:
- Overwrite legitimate container images with malicious versions to poison the supply chain.
- Exfiltrate proprietary container images and sensitive intellectual property.
- Create persistent robot accounts or API tokens to maintain long-term access.
- Disable security features such as vulnerability scanning and image signature verification.
- Delete entire projects or repositories, causing significant operational disruption.
The vulnerability impacts GoHarbor versions 2.15.0 and earlier. Organizations using the default installation script without modifying the configuration file are at the highest risk. Since attackers operate with legitimate administrative privileges, their malicious activities often blend in with normal registry operations, making detection difficult for security teams.
Administrators must immediately change the default administrator password through the Harbor web interface to secure their instances.
For new deployments, it is vital to define unique credentials in the harbor.yml file before running the installation script. The GoHarbor development team is working on updates to randomize passwords or mandate changes during setup. Until these patches are applied, manual hardening and continuous monitoring of administrative logs are the only ways to mitigate the risk of a registry takeover.
