EXECUTIVE SUMMARY:
CVE-2026-4404 with a CVSS score of 9.4 is a critical vulnerability in GoHarbor's Harbor, a widely used open-source container registry, that centers on a risky default credential policy. Harbor is essential for many organizations to store, sign, and manage container images, but a simple oversight in its setup process has created what researchers call a significant security risk. The flaw stems from how Harbor initializes its administrative access, creating an account with the username admin and the password Harbor12345 by default, which is publicly known. If these default credentials remain unchanged, a remote attacker can authenticate and gain full administrative access. This allows an attacker to fully compromise the Harbor registry and all managed artifacts, creating a catastrophic impact on the development lifecycle. An attacker with these privileges can also engage in supply chain attacks by overwriting legitimate container images with poisoned versions, potentially leading to remote code execution across an organization's entire infrastructure. Additionally, attackers can create new robot accounts or API tokens to maintain persistent access, steal sensitive or proprietary images, or disable security enforcements, making the registry a blind spot for other security tools.
RECOMMENDATION:
We recommend you to update Harbor to version 2.15.0 or later.
REFERENCES:
The following reports contain further technical details:
https://securityonline.info/harbor-registry-vulnerability-default-credentials-cve-2026-4404/