cbcvebase.
CVE-2026-4404
published 2026-03-23

CVE-2026-4404: Use of hard coded credentials in GoHarbor Harbor version 2.15.0 and below, allows attackers to use the default password and gain access to the web UI.

PriorityP262critical9.4CVSS 3.1
AVNACLPRNUINSUCHIHAL
EPSS
0.50%
38.9th percentile
Use of hard coded credentials in GoHarbor Harbor version 2.15.0 and below, allows attackers to use the default password and gain access to the web UI.

Affected

2 ranges
VendorProductVersion rangeFixed in
github.comgoharbor_harbor0 – 2.15.0
harborharbor0.1.0 – 2.15.0

Detection & IOCsextracted from sources · hover to see the quote

  • Detect use of hard-coded/default credentials against the GoHarbor Harbor web UI on versions 2.15.0 and below
  • ·No public exploit is currently available and no fix exists as of the published dates; affected packages include cpe:2.3:a:linuxfoundation:harbor and github.com/goharbor/harbor on GoLang, Linux, and Windows platforms
  • ·All GoHarbor Harbor deployments running version 2.15.0 or below are affected and should be reviewed for default credential exposure on the web UI
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.