Search criteria
ⓘ
Use full-text search for keyword queries.
Combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by dates instead of relevance.
5 vulnerabilities by Harbor
CVE-2026-4404 (GCVE-0-2026-4404)
Vulnerability from cvelistv5 – Published: 2026-03-23 14:47 – Updated: 2026-03-24 15:25
VLAI?
Title
Use of hard coded credentials in GoHarbor Harbor
Summary
Use of hard coded credentials in GoHarbor Harbor version 2.15.0 and below, allows attackers to use the default password and gain access to the web UI.
Severity ?
9.4 (Critical)
Assigner
References
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-4404",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-23T15:24:29.261835Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-798",
"description": "CWE-798 Use of Hard-coded Credentials",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-1393",
"description": "CWE-1393 Use of Default Password",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-23T15:25:52.414Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2026-03-24T15:25:10.390Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://www.kb.cert.org/vuls/id/577436"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Harbor",
"vendor": "Harbor",
"versions": [
{
"lessThanOrEqual": "2.15.0",
"status": "affected",
"version": "0.1.0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Use of hard coded credentials in GoHarbor Harbor version 2.15.0 and below, allows attackers to use the default password and gain access to the web UI."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-798 Use of Hard-coded Credentials",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-23T14:47:13.396Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"url": "https://goharbor.io/docs/1.10/install-config/run-installer-script/#:~:text=If%20you%20did%20not%20change%20them%20in%20harbor.yml,%20the%20default%20administrator%20username%20and%20password%20are%20admin%20and%20Harbor12345"
},
{
"url": "https://github.com/goharbor/harbor/issues/1937"
},
{
"url": "https://cwe.mitre.org/data/definitions/1393.html"
},
{
"url": "https://github.com/goharbor/harbor/pull/22751"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Use of hard coded credentials in GoHarbor Harbor",
"x_generator": {
"engine": "VINCE 3.0.34",
"env": "prod",
"origin": "https://cveawg.mitre.org/api/cve/CVE-2026-4404"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2026-4404",
"datePublished": "2026-03-23T14:47:13.396Z",
"dateReserved": "2026-03-18T19:43:57.063Z",
"dateUpdated": "2026-03-24T15:25:10.390Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-22278 (GCVE-0-2024-22278)
Vulnerability from cvelistv5 – Published: 2024-08-02 00:59 – Updated: 2024-08-14 21:35
VLAI?
Title
Harbor fails to validate the user permissions when updating project configurations
Summary
Incorrect user permission validation in Harbor <v2.9.5 and Harbor <v2.10.3 allows authenticated users to modify configurations.
Severity ?
6.4 (Medium)
CWE
- CWE-269 - Improper Privilege Management
Assigner
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-22278",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-02T16:14:46.125656Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-02T16:15:02.950Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "harbor",
"vendor": "harbor",
"versions": [
{
"lessThan": "\u003cv2.9.5",
"status": "affected",
"version": "2.9.4",
"versionType": "custom"
},
{
"lessThan": "\u003cv2.10.3",
"status": "affected",
"version": "2.10.2",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Incorrect user permission validation in Harbor \u0026lt;v2.9.5 and Harbor \u0026lt;v2.10.3 allows authenticated users to modify configurations."
}
],
"value": "Incorrect user permission validation in Harbor \u003cv2.9.5 and Harbor \u003cv2.10.3 allows authenticated users to modify configurations."
}
],
"impacts": [
{
"capecId": "CAPEC-176",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-176 Configuration/Environment Manipulation"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269 Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-14T21:35:37.751Z",
"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"shortName": "vmware"
},
"references": [
{
"url": "https://github.com/goharbor/harbor/security/advisories/GHSA-hw28-333w-qxp3"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Harbor fails to validate the user permissions when updating project configurations",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"assignerShortName": "vmware",
"cveId": "CVE-2024-22278",
"datePublished": "2024-08-02T00:59:55.313Z",
"dateReserved": "2024-01-08T18:43:18.959Z",
"dateUpdated": "2024-08-14T21:35:37.751Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-22261 (GCVE-0-2024-22261)
Vulnerability from cvelistv5 – Published: 2024-06-10 23:25 – Updated: 2024-08-01 22:43
VLAI?
Title
SQL Injection in Harbor scan log API
Summary
SQL-Injection in Harbor allows priviledge users to leak the task IDs
Severity ?
CWE
Assigner
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-22261",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-12T19:29:24.478745Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-12T20:26:08.086Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T22:43:34.096Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/goharbor/harbor/security/advisories/GHSA-vw63-824v-qf2j"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageName": "Harbor",
"product": "Harbor",
"repo": "https://github.com/goharbor",
"vendor": "Harbor",
"versions": [
{
"lessThanOrEqual": "2.8.5",
"status": "affected",
"version": "2.8.1",
"versionType": "custom"
},
{
"lessThanOrEqual": "2.9.3",
"status": "affected",
"version": "2.9.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "2.10.1",
"status": "affected",
"version": "2.10.0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003eSQL-Injection in Harbor allows priviledge users to leak the task IDs\u003cbr\u003e\u003c/div\u003e"
}
],
"value": "SQL-Injection in Harbor allows priviledge users to leak the task IDs"
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "data"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2.7,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-566",
"description": "CWE-566",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-10T23:25:32.158Z",
"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"shortName": "vmware"
},
"references": [
{
"url": "https://github.com/goharbor/harbor/security/advisories/GHSA-vw63-824v-qf2j"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "SQL Injection in Harbor scan log API",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"assignerShortName": "vmware",
"cveId": "CVE-2024-22261",
"datePublished": "2024-06-10T23:25:32.158Z",
"dateReserved": "2024-01-08T18:43:17.077Z",
"dateUpdated": "2024-08-01T22:43:34.096Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-22244 (GCVE-0-2024-22244)
Vulnerability from cvelistv5 – Published: 2024-06-10 23:02 – Updated: 2024-08-01 22:43
VLAI?
Title
Harbor Open Redirect URL
Summary
Open Redirect in Harbor <=v2.8.4, <=v2.9.2, and <=v2.10.0 may redirect a user to a malicious site.
Severity ?
4.3 (Medium)
CWE
- CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
Assigner
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-22244",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-11T18:31:28.512933Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-11T18:31:37.085Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T22:43:33.635Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/goharbor/harbor/security/advisories/GHSA-5757-v49g-f6r7"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Harbor",
"repo": "https://github.com/goharbor/harbor",
"vendor": "Harbor",
"versions": [
{
"lessThanOrEqual": "2.8.4",
"status": "affected",
"version": "2.8",
"versionType": "custom"
},
{
"lessThanOrEqual": "2.9.2",
"status": "unknown",
"version": "2.9",
"versionType": "custom"
},
{
"lessThanOrEqual": "2.10.0",
"status": "affected",
"version": "2.10",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Open Redirect in Harbor\u0026nbsp; \u0026lt;=v2.8.4, \u0026lt;=v2.9.2, and \u0026lt;=v2.10.0 may redirect a user to a malicious site."
}
],
"value": "Open Redirect in Harbor\u00a0 \u003c=v2.8.4, \u003c=v2.9.2, and \u003c=v2.10.0 may redirect a user to a malicious site."
}
],
"impacts": [
{
"capecId": "CAPEC-98",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-98 Phishing"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-601",
"description": "CWE-601 URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-10T23:02:59.347Z",
"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"shortName": "vmware"
},
"references": [
{
"url": "https://github.com/goharbor/harbor/security/advisories/GHSA-5757-v49g-f6r7"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Harbor Open Redirect URL",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"assignerShortName": "vmware",
"cveId": "CVE-2024-22244",
"datePublished": "2024-06-10T23:02:59.347Z",
"dateReserved": "2024-01-08T18:43:03.535Z",
"dateUpdated": "2024-08-01T22:43:33.635Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-20902 (GCVE-0-2023-20902)
Vulnerability from cvelistv5 – Published: 2023-11-09 00:36 – Updated: 2024-09-04 13:18
VLAI?
Title
Timing attack risk in Harbor
Summary
A timing condition in Harbor 2.6.x and below, Harbor 2.7.2 and below, Harbor 2.8.2 and below, and Harbor 1.10.17 and below allows an attacker with network access to
create jobs/stop job tasks and retrieve job task information.
Severity ?
5.9 (Medium)
CWE
- In the Harbor jobservice container, the comparison of secrets in the authenticator type is prone to timing attacks.
Assigner
References
Impacted products
Credits
Thanks to Porcupiney Hairs for reporting this issue.
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T09:21:33.417Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/goharbor/harbor/security/advisories/GHSA-mq6f-5xh5-hgcf"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-20902",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-04T13:11:13.739344Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-04T13:18:17.730Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Project",
"vendor": "Harbor",
"versions": [
{
"status": "affected",
"version": "\u003c=Harbor 2.6.x, \u003c=Harbor 2.7.2, \u003c=Harbor 2.8.2, \u003c=Harbor 1.10.17"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Thanks to Porcupiney Hairs for reporting this issue."
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003eA timing condition in Harbor 2.6.x and below, Harbor 2.7.2 and below,\u0026nbsp; Harbor 2.8.2 and below, and Harbor 1.10.17 and below allows an attacker with network access to \u003cbr\u003ecreate jobs/stop job tasks and retrieve job task information.\u003cbr\u003e\u003c/div\u003e"
}
],
"value": "A timing condition in Harbor 2.6.x and below, Harbor 2.7.2 and below,\u00a0 Harbor 2.8.2 and below, and Harbor 1.10.17 and below allows an attacker with network access to \ncreate jobs/stop job tasks and retrieve job task information.\n\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "In the Harbor jobservice container, the comparison of secrets in the authenticator type is prone to timing attacks.",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-09T00:36:25.369Z",
"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"shortName": "vmware"
},
"references": [
{
"url": "https://github.com/goharbor/harbor/security/advisories/GHSA-mq6f-5xh5-hgcf"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Timing attack risk in Harbor",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"assignerShortName": "vmware",
"cveId": "CVE-2023-20902",
"datePublished": "2023-11-09T00:36:25.369Z",
"dateReserved": "2022-11-01T15:41:50.396Z",
"dateUpdated": "2024-09-04T13:18:17.730Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}