Harbor container registries are at critical risk of unauthorized access due to the use of hard-coded default credentials, potentially leading to the compromise of private container images.

This vulnerability involves the use of hard-coded credentials in the Harbor software. This allows an attacker who knows the default password to log into the web UI with administrative privileges without needing to bypass any other security layers.

The impact is severe, as an attacker with administrative access to a container registry can steal proprietary source code, inject malicious code into container images (supply chain attack), or delete critical infrastructure components. The CVSS score of 9.4 reflects the high impact on confidentiality and integrity resulting from this authentication failure.

Immediate Action: Update Harbor to the latest version and immediately change all default administrative passwords.

Proactive Monitoring: Review Harbor access logs for logins using the default "admin" account, especially from unknown or external IP addresses.

Compensating Controls: Ensure the Harbor UI is not exposed to the public internet and implement Multi-Factor Authentication (MFA) if supported by your identity provider integration.

Public Exploit Available: No

Immediate password rotation is the most critical step. Following that, upgrading to a version that enforces password changes or removes hard-coded defaults is essential to maintain a secure container supply chain.