CVE-2026-4404 - Vulnerability Analysis
CriticalCVSS: 9.4Last Updated: March 24, 2026
GoHarbor Harbor - Authentication Bypass
Published: March 23, 2026Updated: March 24, 2026Remote Exploitable
Overview
GoHarbor Harbor <= 2.15.0 contains hardcoded credentials allowing attackers to use default passwords to access the web UI, exploit requires no special conditions.
Severity & Score
Severity: Critical
CVSS Score: 9.4
EPSS Score: 4.2%(Probability of exploitation in next 30 days)
Impact
Attackers can access the web UI using default credentials, leading to unauthorized access.
Mitigation
Update to the latest version beyond 2.15.0.
References
- https://github.com/goharbor/harbor/issues/1937
- https://github.com/goharbor/harbor/pull/22751
- https://goharbor.io/docs/1.10/install-config/run-installer-script/#:~:text=If%20you%20did%20not%20change%20them%20in%20harbor.yml,%20the%20default%20administrator%20username%20and%20password%20are%20admin%20and%20Harbor12345
- https://www.kb.cert.org/vuls/id/577436
- https://cwe.mitre.org/data/definitions/1393.html
Social Media Activity(1 post)
TheHackerWire
@thehackerwire
š“ CVE-2026-4404 - Critical (9.4) Use of hard coded credentials in GoHarbor Harbor version 2.15.0 and below, allows attackers to use the default password and gain access to the web UI. š https://www.thehackerwire.com/vulnerability/CVE-2026-4404/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original postRelated Resources
Details
- CVE ID
- CVE-2026-4404
- Severity
- Critical
- CVSS Score
- 9.4
- Type
- hardcoded_credentials
- Status
- unconfirmed
- EPSS
- 4.2%
- Social Posts
- 1
CWE
- CWE-798
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
EPSS Score
4.2%Probability of exploitation in the next 30 days