PT-2026-29917 — Cleartext Storage of Sensitive Information in Go Github.Com/Goharbor/Harbor

PT-2026-29917 · Go · Github.Com/Goharbor/Harbor

Published

2026-03-26

Updated

2026-03-26

CVSS v4.0

6.9

Medium

Vector

AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Impact

Harbor write configuration payload to audit log when configuration change, the ldap search password and oidc client secret will be logged in the audit log without redacted

Patches

Harbor v2.15.0, v2.14.3, v2.13.5

Workarounds

Disable audit log configure event in Harbor Web Console: Go to Administration -> Configuration -> Enable Audit Log Event Type -> Uncheck "Update Configuration" and click "Save" Button.

Fix

Cleartext Storage of Sensitive Information

Insertion into Log File

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-312CWE-532

Related Identifiers

GHSA-PRH4-VHFH-24MJ

Affected Products

Github.Com/Goharbor/Harbor