CVE-2026-4404

CRITICAL 9.4

Use of hard coded credentials in GoHarbor Harbor

CVSS Score

9.4

EPSS Score

0.0%

EPSS Percentile

12th

Use of hard coded credentials in GoHarbor Harbor version 2.15.0 and below, allows attackers to use the default password and gain access to the web UI.

Vendor	harbor
Product	harbor
Published	Mar 23, 2026
Last Updated	Mar 24, 2026

Stay Ahead of the Next One

Get instant alerts for harbor harbor

Be the first to know when new critical vulnerabilities affecting harbor harbor are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Harbor / Harbor

0.1.0 ≤ 2.15.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

goharbor.io: https://goharbor.io/docs/1.10/install-config/run-installer-script/#:~:text=If%20you%20did%20not%20change%20them%20in%20harbor.yml,%20the%20default%20administrator%20username%20and%20password%20are%20admin%20and%20Harbor12345 github.com: https://github.com/goharbor/harbor/issues/1937 cwe.mitre.org: https://cwe.mitre.org/data/definitions/1393.html github.com: https://github.com/goharbor/harbor/pull/22751 kb.cert.org: https://www.kb.cert.org/vuls/id/577436