CVE-2026-4404
CRITICAL9.4EPSS 0.06%Harbor allows the use of the default password for web UI login
Published: 3/23/2026Modified: 3/26/2026
Description
Use of hard coded credentials in GoHarbor Harbor version 2.15.0 and below, allows attackers to use the default password and gain access to the web UI.
Affected packages (2)
- Go/github.com/goharbor/harborfrom 0, <= 2.15.0
- Go/github.com/goharbor/harborfrom 0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.4 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L |
References (7)
- ADVISORYhttps://github.com/advisories/GHSA-hj7x-hmf2-hc2p
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-4404
- PATCHhttps://github.com/goharbor/harbor
- WEBhttps://github.com/goharbor/harbor/issues/1937
- WEBhttps://github.com/goharbor/harbor/pull/22751
- WEBhttps://goharbor.io/docs/1.10/install-config/run-installer-script/#:~:text=If%20you%20did%20not%20change%20them%20in%20harbor.yml,%20the%20default%20administrator%20username%20and%20password%20are%20admin%20and%20Harbor12345
- WEBhttps://www.kb.cert.org/vuls/id/577436