Harbor: LDAP password and OIDC secret are not redacted in the audit log

GHSA-prh4-vhfh-24mj · GO-2026-4876

Published Mar 26, 2026 · Modified Apr 8, 2026

Description

Impact

Harbor write configuration payload to audit log when configuration change, the ldap_search_password and oidc_client_secret will be logged in the audit log without redacted

Patches

Harbor v2.15.0, v2.14.3, v2.13.5

Workarounds

Disable audit log configure event in Harbor Web Console: Go to Administration -> Configuration -> Enable Audit Log Event Type -> Uncheck "Update Configuration" and click "Save" Button.

References

WEB https://github.com/goharbor/harbor/security/advisories/GHSA-prh4-vhfh-24mj
WEB https://github.com/goharbor/harbor/commit/85e756486fc19333c5c300d7ac273e1580dc9350
PACKAGE https://github.com/goharbor/harbor

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes