CVE-2026-4404
Received
Published: 23 Mar 2026, 14:47
Last modified:23 Mar 2026, 15:25
Vulnerability Summary
Overall Risk (default)
high
70/100 CVSS Score
9.4 CRITICAL
v3.1 (cve.org)
EPSS Score
No data
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected
Timeline
23 Mar 2026, 14:47
Published
Vulnerability first disclosed
23 Mar 2026, 15:25
Last Modified
Vulnerability information updated
Description
Use of hard coded credentials in GoHarbor Harbor version 2.15.0 and below, allows attackers to use the default password and gain access to the web UI.
CVSS Metrics
- v3.1•CRITICAL•Score: 9.4CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
Techniques & Countermeasures
- CWE-798•Use of Hard-coded Credentials
The product contains hard-coded credentials, such as a password or cryptographic key.
- CWE-1393•Use of Default Password
The product uses default passwords for potentially critical functionality.
Affected Systems
- harbor•harbor
≥ 0.1.0, ≤ 2.15.0
References (4)
- https://goharbor.io/docs/1.10/install-config/run-installer-script/#:~:text=If%20you%20did%20not%20change%20them%20in%20harbor.yml,%20the%20default%20administrator%20username%20and%20password%20are%20admin%20and%20Harbor12345
- https://github.com/goharbor/harbor/issues/1937
- https://cwe.mitre.org/data/definitions/1393.html
- https://github.com/goharbor/harbor/pull/22751