Nixpkgs security tracker

Permalink CVE-2026-4404

9.4 CRITICAL

CVSS version (CVSS): 3.1
Attack Vector (AV): Network (N)
Attack Complexity (AC): Low (L)
Privileges Required (PR): None (N)
User Interaction (UI): None (N)
Scope (S): Unchanged (U)
Confidentiality (C): High (H)
Integrity (I): High (H)
Availability (A): Low (L)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): Low (L)
Modified Privileges Required (MPR): None (N)
Modified User Interaction (MUI): None (N)
Modified Confidentiality (MC): High (H)
Modified Scope (MS): Unchanged (U)
Modified Integrity (MI): High (H)
Modified Availability (MA): Low (L)

created 2 months ago Activity log

Created suggestion 2 months ago

Use of hard coded credentials in GoHarbor Harbor

Use of hard coded credentials in GoHarbor Harbor version 2.15.0 and below, allows attackers to use the default password and gain access to the web UI.

References

Affected products

Harbor

=<2.15.0

Matching in nixpkgs

pkgs.harbor-cli

Command-line tool facilitates seamless interaction with the Harbor container registry

nixos-unstable 0.0.18
- nixpkgs-unstable 0.0.18
- nixos-unstable-small 0.0.18
nixos-25.11 0.0.14
- nixos-25.11-small 0.0.14
- nixpkgs-25.11-darwin 0.0.14

pkgs.terraform-providers.harbor

None

nixos-unstable 3.11.3
- nixpkgs-unstable 3.11.3
- nixos-unstable-small 3.11.3
nixos-25.11 3.11.2
- nixos-25.11-small 3.11.2
- nixpkgs-25.11-darwin 3.11.2

pkgs.terraform-providers.goharbor_harbor