CISA issues guidance on default admin credentials in GoHarbor Harbor

GoHarbor Harbor deployments that retain the default administrator credentials face a credential-based security risk that can lead to full administrative takeover of the registry and compromise of managed container artifacts.

The Harbor project is an open-source OCI-compliant container registry that stores, signs, and manages container images. Harbor initializes with a default administrator account (admin) and password (Harbor12345), configured through the harbor_admin_password parameter in the harbor.yml. The setup process does not enforce a password change during setup or upon first login. If the default credentials remain unchanged, a remote attacker can authenticate using the publicly known password to gain full administrative access.

An attacker with administrative access can fully compromise the Harbor registry and all managed artifacts. This includes overwriting or injecting malicious container images, establishing persistent access by creating new users, robot accounts, or Application Programming Interface (API) tokens, and weakening or disabling security controls such as vulnerability scanning, signature enforcement, and role-based access controls. The attacker can also exfiltrate sensitive images by configuring replication to external registries or downloading artifacts directly. Administrative privileges additionally allow destructive actions such as deleting repositories or corrupting artifacts, resulting in service disruption and loss of system integrity.

Operators are instructed to change the default administrative password either before or immediately after deployment. The advisory states this can be done through the Harbor web interface or by specifying a unique value for harbor_admin_password in harbor.yml during installation. A fix has been proposed to address the hardcoded default password by removing or randomizing default credentials during installation, with the referenced Harbor pull request at https://github.com/goharbor/harbor/pull/19188.

GoHarbor’s documentation referenced in the advisory notes that if the default administrator username and password are not changed in harbor.yml, they are admin and Harbor12345. The referenced issue is https://github.com/goharbor/harbor/issues/1937. The advisory also includes CVE-2026-4404 and links to https://cwe.mitre.org/data/definitions/1393.html.

Aviz outlines how Network Copilot automates MSP ticket and compliance workflows

Sophos Named a Champion in Omdia Cybersecurity MSP Ecosystems Leadership Matrix 2026

Synack Highlights Human + AI Continuous Security Validation at the Gartner Security & Risk Management Summit