CVE-2026-4404 - Vulnerability Analysis
CriticalCVSS: 9.4Last Updated: March 23, 2026
GoHarbor Harbor - Authentication Bypass
Overview
GoHarbor Harbor <= 2.15.0 contains hardcoded credentials allowing attackers to use default passwords to access the web UI, exploit requires no special conditions.
Severity & Score
Impact
Attackers can access the web UI using default credentials, leading to unauthorized access.
Mitigation
Update to the latest version beyond 2.15.0.
References
- https://cwe.mitre.org/data/definitions/1393.html
- https://github.com/goharbor/harbor/issues/1937
- https://github.com/goharbor/harbor/pull/22751
- https://goharbor.io/docs/1.10/install-config/run-installer-script/#:~:text=If%20you%20did%20not%20change%20them%20in%20harbor.yml,%20the%20default%20administrator%20username%20and%20password%20are%20admin%20and%20Harbor12345
Social Media Activity(2 posts)
š“ CVE-2026-4404 - Critical (9.4) Use of hard coded credentials in GoHarbor Harbor version 2.15.0 and below, allows attackers to use the default password and gain access to the web UI. š https://www.thehackerwire.com/vulnerability/CVE-2026-4404/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original post
š“ CVE-2026-4404 - Critical (9.4) Use of hard coded credentials in GoHarbor Harbor version 2.15.0 and below, allows attackers to use the default password and gain access to the web UI. š https://www.thehackerwire.com/vulnerability/CVE-2026-4404/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original postRelated Resources
Details
- CVE ID
- CVE-2026-4404
- Severity
- Critical
- CVSS Score
- 9.4
- Type
- hardcoded_credentials
- Status
- new
- EPSS
- 0.0%
- Social Posts
- 2
CWE
- CWE-798
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L