GHSA-PRH4-VHFH-24MJ: GHSA-PRH4-VHFH-24MJ: Information Exposure in Harbor Configuration Audit Logs

GHSA-PRH4-VHFH-24MJ: Information Exposure in Harbor Configuration Audit Logs Vulnerability ID: GHSA-PRH4-VHFH-24MJ CVSS Score: 5.3 Published: 2026-03-26 Harbor, an open-source cloud native registry, contains a Moderate severity vulnerability (CWE-532) in its audit logging subsystem. The application relies on an incomplete blacklist to redact sensitive data from configuration payloads. This failure causes LDAP passwords, specifically ldap_search_password , and OpenID Connect (OIDC) client secrets to be written to the database in plain text within the operation description field. This vulnerability allows authorized users with audit log access to retrieve enterprise directory credentials. TL;DR Harbor fails to properly redact sensitive configuration parameters from its audit logs. This exposes LDAP and OIDC credentials in plain text to any user with audit log read access, requiring an upgrade to version 2.15.0 and immediate rotation of exposed secrets. Technical Details Vulnerability Cla