Initiatieven voor
Als nationale autoriteit voor cyberveiligheid heeft het CCB verschillende initiatieven ontwikkeld voor specifieke doelgroepen die hier worden gepresenteerd.
Warning: Critical vulnerability in GoHarbor Harbor. Patch Immediately!
Image
Gepubliceerd : 25/03/2026
- Last update: 25/03/2026
- Affected software: GoHarbor Harbor version 2.15.0 and below
- Type: Hard-coded Credentials
- CVE/CVSS: CVE-2026-4404: 9.4 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L)
Sources
GoHarbor: https://github.com/advisories/ghsa-hj7x-hmf2-hc2p
NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-4404
Risks
If successfully exploited, attackers can authenticate to the Harbor web UI without valid credentials by
using the default hard-coded password. This results in unauthorized access to the container registry
management interface, allowing attackers to view, modify, or delete container images, manage
repositories, and perform administrative actions.
Such access also enables attackers to overwrite or inject malicious container images, creating a risk of
supply chain compromise. This could lead to further impacts, including remote code execution in
downstream CI/CD pipelines and Kubernetes environments.
Description
GoHarbor Harbor is an OCI-compliant open-source container registry widely adopted, especially in
cloud-native environments. It stores, signs, and manages container images.
CVE-2026-4404 represents a critical vulnerability (CVSS score of 9.4) found in GoHarbor versions 2.15.0
and below that allows attackers to leverage a default, hardcoded password to gain unauthorized access
to the application’s web UI.
The core issue is the use of hardcoded credentials within GoHarbor Harbor. Specifically, a default
password is embedded in the application’s code for versions 2.15.0 and earlier. This isn’t a bypass or an
injection; it’s a known, fixed credential that an attacker can simply use. The presence of this default
password means that any instance running the vulnerable versions, where this password hasn’t been
changed post-installation, is susceptible to unauthorized access.
Instances running versions above 2.15.0 are not affected by this vulnerability.
Recommended Actions
Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing.
Mitigate
The Centre for Cybersecurity Belgium strongly recommends changing the default credentials if this action has not yet been undertaken.
Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.
In case of an intrusion, you can report an incident via: https://ccb.belgium.be/report-incident.
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.
References
cert.org: https://www.kb.cert.org/vuls/id/577436