Currently browsing: Technology

Overview
Ollama’s model quantization engine contains a vulnerability that allows an attacker with access to the model upload interface to read and potentially exfiltrate heap memory from the server. This issue may lead to unintended behavior, including unauthorized access to sensitive data and, in some cases, broader system compromise.
Description
Ollama is an open-source tool designed to run large language models (LLMs) locally on personal systems, including macOS, Windows, and Linux. Ollama supports model quantization, an optimization technique that reduces the numerical precision used in models to improve performance and efficiency.
An out-of-bounds heap read/write vulnerability has been identified in Ollama’s model processing engine. By uploading a specially crafted GPT-Generated Unified Format (GGUF) file and triggering the quantization process, an attacker can cause the server to read beyond intended memory boundaries and write the leaked data into a new model layer.
CVE-2026-5757: Unauthenticated remote information disclosure vulnerability in Ollama’s model quantization engine allows an attacker to read and exfiltrate the server’s heap memory, potentially leading to sensitive data exposure, further compromise, and stealthy persistence.
The vulnerability is caused by three combined factors:

No Bounds Checking: The quantization engine trusts tensor metadata (like element count) from the user-supplied GGUF file header without verifying it against the actual size of the provided data.
Unsafe Memory Access: Go’s unsafe.Slice is used to create a memory slice based on the attacker-controlled element count, which can extend far beyond the legitimate data buffer and into the application’s heap.
Data Exfiltration Path: The out-of-bounds heap data is inadvertently processed and written into a new model layer. Ollama’s registry API can then be used to “push” this layer to an attacker-controlled server, effectively exfiltrating the leaked memory.

Impact
An attacker with access to the model upload interface can exploit this vulnerability to read from or write to heap memory. This may result in exposure of sensitive data, data exfiltration, and potentially full system compromise.
Solution
Unfortunately, we were unable to reach the vendor to coordinate this vulnerability, and a patch is not yet available to address this vulnerability. The underlying issue should be addressed by implementing proper bounds checking to ensure that tensor metadata is validated against the actual size of the provided data before any memory operations are performed.
As an interim mitigation, access to the model upload functionality should be restricted or disabled, particularly in environments exposed to untrusted users or networks. Deployments should be limited to local or otherwise trusted network environments where possible. If model uploads are required for operational reasons, only models from trusted and verifiable sources should be accepted, and appropriate validation controls should be applied to reduce risk.
Acknowledgements
Thanks to the reporter Jeremy Brown, who detected the vulnerability through AI-assisted vulnerability research. This document was written by Timur Snoke.

Overview
Radware Alteon has a reflected Cross-Site Scripting (XSS) vulnerability in the parameter ReturnTo of the route /protected/login. This vulnerability allows an attacker to execute JavaScript in the host browser.
Description
CVE-2026-5754: Reflected Cross-Site Scripting (XSS) vulnerability in Radware Alteon 34.5.4.0 vADC load-balancer allows an attacker to inject malicious scripts into the website, potentially leading to unauthorized actions, data theft, or other malicious activities.
A reflected Cross-Site Scripting (XSS) vulnerability exists in the ReturnTo parameter of the /protected/login route in Radware Alteon version 34.5.4.0. The vulnerability arises from the lack of user input sanitization, allowing an attacker to inject malicious scripts. Specifically, when a user requests a resource that redirects to a Microsoft SAML login page, the load-balancer redirects the user to the login page with a ReturnTo parameter that fails to sanitize user input. An attacker can exploit this by injecting a malicious payload in the ReturnTo parameter, which will be executed in the victim’s browser.
An example attack flow is below:

Attacker creates link with XSS payload in ReturnTo parameter.
Victim clicks malicious link, redirecting to login page.
Load-balancer reflects malicious ReturnTo parameter, executing XSS payload.
Attacker performs JavaScript code execution in the victim’s browser.

Impact
The impact of this vulnerability is significant, as it allows an attacker to execute arbitrary JavaScript code in a victim’s browser. Doing so enables a range of harmful activities, including the following: stealing session cookies and sensitive data; performing unauthorized actions on behalf of the victim; tricking users into falling for phishing attacks; and damaging a website’s reputation and user trust.
Solution
Unfortunately, we were unable to reach the vendor to coordinate this vulnerability. The vendor, Radware, has acknowledged the vulnerability in their customer portal and plans to patch it in the next version, 34.5.7.0. This version was expected to be released on March 31st, 2026, based upon the release notes, but it is unclear if this release occurred and included a fix. In the meantime, users are advised to take precautions to prevent exploitation, such as validating and encoding user input.
Acknowledgements
Thanks to the reporter, Loinaz Merino Cerrajeria, for bringing this vulnerability to our attention.This document was written by Timur Snoke.

Overview
Terrarium is a sandbox-based code execution platform that enables users to run and execute code in a controlled environment, providing a secure way to test and validate code. However, a vulnerability has been discovered in Terrarium that allows arbitrary code execution with root privileges on the host Node.js process. This vulnerability is caused by a JavaScript prototype chain traversal in the Pyodide WebAssembly environment.
Description
The root cause of the vulnerability lies in the configuration of jsglobals objects in service.ts. Specifically, the mock document object is created using a standard JavaScript object literal, which inherits properties from Object.prototype. This inheritance chain allows sandbox code to traverse up to the function constructor, create a function that returns globalThis, and from there access Node.js internals, including require(). As a result, an attacker can escape the sandbox and execute arbitrary system commands as root within the container.
CVE-2026-5752
Sandbox Escape Vulnerability in Terrarium allows arbitrary code execution with root privileges on a host process via JavaScript prototype chain traversal.
Impact
Applications that use Terrarium for sandboxed code execution may be compromised, allowing an attacker to:

Execute arbitrary commands as root inside the container
Access and modify sensitive files, including /etc/passwd and environment variables
Reach other services on the container’s network, including databases and internal APIs
Potentially escape the container and escalate privileges further

Mitigation
Unfortunately, we were unable to coordinate with the vendor to obtain a patch or fix for this vulnerability. In the meantime, several mitigation strategies can be employed to reduce the risk of exploitation. Users should consider implementing the following measures:

Disable unnecessary features: Disable any features that allow users to submit code to the sandbox, if possible.
Implement network segmentation: Segment the network to limit the attack surface and prevent lateral movement.
Use a Web Application Firewall (WAF): Deploy a WAF to detect and block suspicious traffic, including attempts to exploit the vulnerability.
Monitor container activity: Regularly monitor container activity for signs of suspicious behavior.
Implement access controls: Limit access to the container and its resources to authorized personnel only.
Use a secure container orchestration tool: Utilize a secure container orchestration tool to manage and secure containers.
Regularly update and patch dependencies: Ensure that dependencies are up-to-date and patched.

Acknowledgments
The vulnerability was discovered by Jeremy Brown, who used AI-assisted vulnerability research to identify the issue. This document was written by Timur Snoke with assistance from AI.

Overview
A remote code execution vulnerability has been discovered in the SGLang project, specifically in the reranking endpoint (/v1/rerank). A CVE has been assigned to track the vulnerability; CVE-2026-5760. An attacker can create a malicious model for SGLang to achieve RCE. Successful exploitation could allow arbitrary code execution in the context of the SGLang service, potentially leading to host compromise, lateral movement, data exfiltration, or denial-of-service (DoS) attacks. No response was obtained from the project maintainers during coordination.
Description
SGLang is an open-source framework for serving large language models (LLMs) and multimodal AI models, supporting models such as Qwen, DeepSeek, Mistral, and Skywork, and is compatible with OpenAI APIs. A vulnerability, tracked as CVE-2026-5760, has been discovered within the reranking endpoints. Using a cross-encoder model, the reranking endpoint reranks documents based on their relevance to a query.
An attacker exploits this vulnerability by creating a malicious GPT Generated Unified Format (GGUF) model file with a crafted tokenizer.chat_template parameter that contains a Jinja2 server-side template injection (SSTI) payload with a trigger phrase to activate the vulnerable code path. A tokenizer.chat_template is a metadata field that defines how text is structured before being processed. The victim then downloads and loads the model in SGLang, and when a request hits the /v1/rerank endpoint, the malicious template is rendered, executing the attacker’s arbitrary Python code on the server. This sequence of events enables the attacker to achieve remote code execution (RCE) on the SGLang server.
The vulnerability arises from the use of jinja2.Environment() without sandboxing in the getjinjaenv() function. This function sets up the environment for rendering Jinja2 templates, but since it lacks proper sandboxing, it fails to restrict the execution of arbitrary Python code. Consequently, when the reranking endpoint is accessed and a malicious model file containing a crafted tokenizer.chattemplate is loaded, the model can execute arbitrary commands on the server.
Impact
An attacker can create a malicious model for SGLang to achieve RCE. Successful exploitation could allow arbitrary code execution in the context of the SGLang service, potentially leading to host compromise, lateral movement, data exfiltration, or denial-of-service (DoS) attacks. Deployments that expose the affected interface to untrusted networks are at the highest risk of exploitation.
Solution
To mitigate this vulnerability, it is recommended to use ImmutableSandboxedEnvironment instead of jinja2.Environment() to render the chat templates. This will prevent the execution of arbitrary Python code on the server. No response or patch was obtained during the coordination process.
Acknowledgements
Thanks to the reporter, Stuart Beck. This document was written by Christopher Cullen.

Overview
Multiple vulnerabilities have been identified in Orthanc DICOM Server version, 1.12.10 and earlier, that affect image decoding and HTTP request handling components. These vulnerabilities include heap buffer overflows, out-of-bounds reads, and resource exhaustion vulnerabilities that may allow attackers to crash the server, leak memory contents, or potentially execute arbitrary code.
Description
Orthanc is an open-source lightweight Digital Imaging and Communications in Medicine (DICOM) server used to store, process, and retrieve medical imaging data in healthcare environments. The following nine vulnerabilities identified in Orthanc primarily stem from unsafe arithmetic operations, missing bounds checks, and insufficient validation of attacker-controlled metadata in DICOM files and HTTP requests.
CVE-2026-5437 An out-of-bounds read vulnerability exists in DicomStreamReader during DICOM meta-header parsing. When processing malformed metadata structures, the parser may read beyond the bounds of the allocated metadata buffer. Although this issue does not typically crash the server or expose data directly to the attacker, it reflects insufficient input validation in the parsing logic.
CVE-2026-5438 A gzip decompression bomb vulnerability exists when Orthanc processes an HTTP request with Content-Encoding: gzip. The server does not enforce limits on decompressed size and allocates memory based on attacker-controlled compression metadata. A specially crafted gzip payload can trigger excessive memory allocation and exhaust system memory.
CVE-2026-5439 A memory exhaustion vulnerability exists in ZIP archive processing. Orthanc automatically extracts ZIP archives uploaded to certain endpoints and trusts metadata fields describing the uncompressed size of archived files. An attacker can craft a small ZIP archive containing a forged size value, causing the server to allocate extremely large buffers during extraction.
CVE-2026-5440 A memory exhaustion vulnerability exists in the HTTP server due to unbounded use of the Content-Length header. The server allocates memory directly based on the attacker-supplied header value without enforcing an upper limit. A crafted HTTP request containing an extremely large Content-Length value, such as approximately 4 GB, can trigger excessive memory allocation and server termination, even without sending a request body.
CVE-2026-5441 An out-of-bounds read vulnerability exists in the DecodePsmctRle1 function of DicomImageDecoder.cpp. The PMSCT_RLE1 decompression routine, which decodes the proprietary Philips Compression format, does not properly validate escape markers placed near the end of the compressed data stream. A crafted sequence at the end of the buffer can cause the decoder to read beyond the allocated memory region and leak heap data into the rendered image output.
CVE-2026-5442 A heap buffer overflow vulnerability exists in the DICOM image decoder. Dimension fields are encoded using Value Representation (VR) Unsigned Long (UL), instead of the expected VR Unsigned Short (US), which allows extremely large dimensions to be processed. This causes an integer overflow during frame size calculation and results in out-of-bounds memory access during image decoding.
CVE-2026-5443 A heap buffer overflow vulnerability exists during the decoding of PALETTE COLOR DICOM images. Pixel length validation uses 32-bit multiplication for width and height calculations. If these values overflow, the validation check incorrectly succeeds, allowing the decoder to read and write to memory beyond allocated buffers.
CVE-2026-5444 A heap buffer overflow vulnerability exists in the PAM ( https://netpbm.sourceforge.net/doc/pam.html) image parsing logic. When Orthanc processes a crafted PAM image embedded in a DICOM file, image dimensions are multiplied using 32-bit unsigned arithmetic. Specially chosen values can cause an integer overflow during buffer size calculation, resulting in the allocation of a small buffer followed by a much larger write operation during pixel processing.
CVE-2026-5445 An out-of-bounds read vulnerability exists in the DecodeLookupTable function within DicomImageDecoder.cpp. The lookup-table decoding logic used for PALETTE COLOR images does not validate pixel indices against the lookup table size. Crafted images containing indices larger than the palette size cause the decoder to read beyond allocated lookup table memory and expose heap contents in the output image.
Impact
The vulnerabilities in Orthan DICOM Server 1.20.10 allow attackers to trigger heap memory corruption, out-of-bounds read, information disclosure, and denial-of-service conditions through crafted DICOM files and HTTP requests. The most severe issues are heap-based buffer overflows in image parsing and decoding logic, which can crash the Orthanc process and may, under certain conditions, provide a pathway to remote code execution (RCE). Several additional flaws permit out-of-bounds reads that can expose heap-resident data, including allocator metadata, internal identifiers, points, and portions of adjacent DICOM content through rendered image output.
In addition, multiple vulnerabilities allow resource exhaustion by causing Orthanc to allocate excessive amounts of memory based on attacker-controlled metadata such as Content-Length, ZIP archive size fields, and gzip decompression size values. These conditions can reliably result in process termination and denial of service, often with only a small, crafted payload. Some of the affected code paths may also allow malicious DICOM content to be stored and later re-triggered during normal processing, increasing the persistence and operational impact of exploitation.
Solution
Orthanc has released version 1.12.11 to address these vulnerabilities, and users are strongly encouraged to upgrade as soon as possible. Administrators should review deployment configurations to limit exposure of upload and image processing functionality to trusted users and networks wherever possible. Refer to Orthanc documentation and release notes for patching and deployment guidance.
Acknowledgements
Thanks to Dr. Simon Weber and Volker Schönefeld of Machine Spirits UG (https://machinespirits.com) for the disclosure of these vulnerabilities. This document was written by Michael Bragg.

Overview
Artifex’s MuPDF contains an integer overflow vulnerability, CVE-2026-3308, in versions up to and including 1.27.0. Using a specially crafted PDF, an attacker can trigger an integer overflow resulting in out-of-bounds heap writes. This heap corruption typically causes the application to crash, but in some cases could be exploited to enable arbitrary code execution.
Description
Artifex MuPDF is a lightweight framework for viewing and converting PDF, XPS, and e-book files. A vulnerability exists in pdf_load_image_imp, which is responsible for preparing image data for decoding.
The function processes image parameters including w (width), h (height), and bpc (bits per component), which are used to determine the amount of memory allocated during image decoding. The current implementation validates these parameters against SIZE_MAX rather than INT_MAX, but because stride calculations use integer-sized values, this check does not sufficiently protect against integer overflow when exceedingly large values are supplied.
When the overflow occurs, the resulting corrupted values are passed into the fz_unpack_stream function, which expands packed image samples into a destination buffer during image decoding. Because this too-small overflow value is used to calculate the size of the destination buffer, not enough memory is allocated for the actual size of the image. This causes fz_unpack_stream to write beyond the bounds of the allocated heap buffer, resulting in a heap out-of-bounds write.
Impact
Successful exploitation results in a heap out-of-bounds write during PDF image decoding. This condition may cause application crashes and memory corruption, or could potentially allow arbitrary code execution within the context of the application rendering the PDF.
Since this vulnerability is triggered during standard PDF parsing operations, any system that automatically processes or renders untrusted PDF files using MuPDF may be affected.
Solution
Unfortunately, the vendor was unreachable to coordinate this vulnerability. Until a complete fix is available, users should avoid processing untrusted PDF files with affected MuPDF-based applications where possible. Applications that rely on MuPDF should isolate document rendering in a sandboxed or low-privilege process and disable automatic rendering or conversion of untrusted files if feasible. A Pull Request (PR) was with the fix is available at: https://github.com/ArtifexSoftware/mupdf/pull/87
Acknowledgements
Thanks toYarden Porat from Cyata for reporting this vulnerability. This document was written by Michael Bragg.
CVE-2026-3308
An integer overflow vulnerability in ‘pdf-image.c’ in Artifex’s MuPDF version 1.27.0 allows an attacker to maliciously craft a PDF that can trigger an integer overflow within the ‘pdf_load_image_imp’ function. This allows a heap out-of-bounds write that could be exploited for arbitrary code execution.

Overview
Kyverno, versions 1.16.0 to present, contains an SSRF vulnerability in its CEL-based HTTP functions, which lack URL validation or namespace scoping and allow namespaced policies to trigger arbitrary internal HTTP requests. An attacker with only namespace-level permissions can exploit this to access sensitive internal services via the highly privileged Kyverno admission controller.
Description
Kyverno is an open-source, Kubernetes-native policy engine that functions as a dynamic admission controller for the Kubernetes API. It is designed to manage the lifecycle of cluster resources by validating, mutating, and generating configurations based on YAML-defined policies. Within a security context, the engine is frequently utilized to enforce Pod Security Standards, verify image signatures via Cosign, and audit resource configurations for compliance. Because Kyverno operates with high-level permissions to intercept and modify API requests, it represents a critical component of the cluster’s security posture and trust boundary.
A server-side request forgery vulnerability exists in Kyverno’s CEL-based HTTP functions (Get and Post) used by namespaced policy types in the policies.kyverno.io API group. Unlike Kyverno’s resource library, which enforces namespace boundaries, the HTTP library at pkg/cel/libs/http/http.go performs no URL validation or scoping; i.e., there are no blocklists, namespace restrictions, or destination checks. As a result, these policies can issue arbitrary HTTP requests from the Kyverno admission controller pod.
Impact
An authenticated attacker with only namespace-scoped permissions can create a malicious namespaced policy that sends an internal http.Get() request, captures the response in a CEL variable, and exfiltrates it via the policy’s messageExpression field returned in the admission denial. Because requests originate from the Kyverno admission controller, which often has privileged network reachability across internal cluster services and cloud metadata APIs, this enables cross-namespace data access and potential exposure of sensitive metadata or service responses, effectively breaking Kyverno’s intended security boundaries through SSRF.
Solution
Unfortunately, we were unable to reach the vendor to coordinate this vulnerability. Since a patch is unavailable, we can only offer mitigation strategies.
Mitigation should include implementing strict URL validation and destination controls within Kyverno’s CEL HTTP library to ensure parity with the namespace-scoped restrictions enforced by the resource library. Recommended safeguards include blocking access to link-local and cloud metadata address ranges, limiting outbound requests to approved in-cluster services, and providing administrators with configurable allowlists. Additionally, applying default deny network policies to the Kyverno admission controller pod can reduce residual risk by preventing unauthorized egress in the event of future validation gaps.
Acknowledgements
Thanks to Igor Stepansky from Orca Security Research Pod for responsibly disclosing this vulnerability. This document was written by Dr. Elke Drennan, CISSP.

Overview
Four vulnerabilities have been identified in CrewAI, including remote code execution (RCE), arbitrary local file read, and server-side request forgery (SSRF). CVE-2026-2275 is directly caused by the Code Interpreter Tool. The other three vulnerabilities result from improper default configuration settings within the main CrewAI agent and associated Docker images. An attacker who can interact with a CrewAI agent that has the Code Interpreter Tool enabled may exploit these issues through prompt injection, ultimately chaining the vulnerabilities together. The vendor has provided a statement addressing some, but not all, of the reported vulnerabilities.
Description
CrewAI is a tool for building and orchestrating multi-agent AI systems. These agents are intended to work together to complete tasks, and developers define those tasks and workflows. CrewAI supports various tools, including one called the “Code Interpreter Tool”, intended for execution of Python code within a secure Docker container.
CVE-2026-2275 origintates from the Code Interpreter tool itself. The remaining vulnerabilities stem from insecure fallback behaviors and configuration issues in the CrewAI agent and Docker environment. Exploitation of CVE-2026-2275 may enable attackers to trigger the additional vulnerabilities.
The vulnerabilities are listed below:
CVE-2026-2275
The CrewAI CodeInterpreter tool falls back to SandboxPython when it cannot reach Docker, which can enable code execution through arbitrary C function calls. This vulnerability can be triggered if: allow_code_execution=True is enabled in the agent configuration, or if the Code Interpreter Tool is manually added to the agent by the developer.
CVE-2026-2286
CrewAI contains a server-side request forgery (SSRF) vulnerability that enables content acquisition from internal and cloud services, facilitated by the RAG search tools not properly validating URLs provided at runtime.
CVE-2026-2287
CrewAI does not properly check that Docker is still running during runtime, and will fall back to a sandbox setting that allows for RCE exploitation.
CVE-2026-2285
CrewAI contains a arbitrary local file read vulnerability in the JSON loader tool that reads files without path validation, enabling access to files on the server.
Impact
An attacker with the ability to influence a CrewAI agent using the Code Interpreter Tool through either direct or indirect prompt injection can use the four vulnerabilities discovered to perform arbitrary file read, RCE, and server side request forgery. The results of the attacks can vary, as the attacker will achieve sandbox bypass and RCE/file read if the host machine is using Docker, or full RCE if the host machine is in configuration mode or unsafe mode. An attacker can use the arbitrary file read and SSRF vulnerabilities to perform credential theft, or the RCE vulnerabilities to perform further leveraging of the compromised device.
Solution
During coordinated disclosure, the vendor provided a statement addressing CVE-2026-2275 and CVE-2026-2287.
The vendor has indicated plans to take the following actions to improve security of CrewAI framework:

Add ctypes and related modules to BLOCKED_MODULES in an upcoming release
Evaluate configuration changes to fail closed rather than fall back to sandbox mode
Provide clearer runtime warnings when sandbox mode is active
Improve security-related documentation

At the time of writing, no complete patch is available for all disclosed vulnerabilities. Until fixes are released, users should:

Remove or restrict or disable the Code Interpreter Tool wherever possible
Remove (or avoid) enabling allow_code_execution=True setting unless absolutely necessary
Limit the agent exposure to untrusted input or santiize input as appropriate
Monitor Docker availability and prevent fallback to insecure sandbox modes

Acknowledgements
Thanks to the reporter, Yarden Porat of Cyata. This document was written by Christopher Cullen.

Overview
The IDrive Cloud Backup Client for Windows, versions 7.0.0.63 and earlier, contains a privilege escalation vulnerability that allows any authenticated user to run arbitrary executables with NT AUTHORITYSYSTEM permissions.
Description
IDrive is a cloud backup service that allows users to encrypt, sync, and store data from multiple devices such as PCs, Macs, iPhones, and Androids in one cloud-based account. IDrive provides a Windows client for both desktop and server editions, which acts as both a thick client and a thin client with a web interface to manage cloud backups.
CVE-2026-1995 The IDrive Windows client utility id_service.exe runs as a process with elevated SYSTEM privileges and regularly reads from several files located under C:ProgramDataIDrive. The UTF16-LE encoded contents of these files are used by the service as arguments for starting processes. Because of weak permission configurations, these files can be edited by any standard user logged into the system. An authenticated, low-privilege attacker can overwrite or add a new file that specifies a path to an arbitrary script or .exe, which will then be executed by the id_service.exe process with SYSTEM privileges.
Impact
This vulnerability enables an authenticated local user, or any user with access to the affected directory, to execute arbitrary code as SYSTEM on the target Windows device. A local attacker could exploit this vulnerability to escalate privileges and gain full control over the target machine, potentially enabling data theft, system modification, or arbitrary script execution.
Solution
IDrive has reported that a patch for this vulnerability is currently in development. Users should monitor IDrive releases and update their software to the latest version as soon as it becomes available. In the meantime, users are advised to restrict write permissions for the affected directory and employ additional controls such as EDR monitoring and Group Policies to detect and prevent unauthorized file modifications.
Acknowledgements
Thanks to Matthew Owens and FRSecure for discovering and reporting this vulnerability. This document was written by Molly Jaconski.

Overview
GoHarbor’s Harbor default admin password presents a security risk because it does not require change upon initial deployment.
Description
GoHarbor’s Harbor is an open-source OCI-compliant container registry project that stores, signs, and manages container images. Harbor initializes with a default administrator account (admin) and password (Harbor12345), configured through the harbor_admin_password parameter in the harbor.yml.
While operators are expected to change these credentials during or after deployment, Harbor does not enforce a password change during setup or upon first login. If the default credentials remain unchanged, a remote attacker can authenticate using the publicly known password to gain full administrative access.
Impact
An attacker who gains administrative access can fully compromise the Harbor registry and all managed artifacts. This includes the ability to overwrite or inject malicious container images, enabling supply-chain attacks that may lead to remote code execution in downstream continuous integration and continuous development (CI/CD) pipelines and Kubernetes environments. The attacker can establish persistent access by creating new users, robot accounts, or API tokens, and can weaken or disable security controls such as vulnerability scanning, signature enforcement, and role-based access controls.
Additionally, sensitive images can be exfiltrated by configuring replication to external registries or downloading artifacts directly. Administrative privileges also allow destructive actions such as deleting repositories or corrupting artifacts, resulting in service disruption and loss of system integrity.
Solution
Operators should change the default administrative password either before or immediately after deployment. This can be done through the Harbor web interface or by specifying a unique value for harbor_admin_password in harbor.yml during installation.
A fix has been proposed to address the hardcoded default password by removing or randomizing default credentials during installation. See the Harbor pull request:
https://github.com/goharbor/harbor/pull/19188https://github.com/goharbor/harbor/pull/19188
Acknowledgements
Thanks to notnotnotveg (notnotnotveg@gmail.com) who reported this vulnerability. This document was written by Michael Bragg.