CVE-2026-4404
published 2026-03-23CVE-2026-4404: Use of hard coded credentials in GoHarbor Harbor version 2.15.0 and below, allows attackers to use the default password and gain access to the web UI.
PriorityP262critical9.4CVSS 3.1
AVNACLPRNUINSUCHIHAL
EPSS
0.50%
38.9th percentile
Use of hard coded credentials in GoHarbor Harbor version 2.15.0 and below, allows attackers to use the default password and gain access to the web UI.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | goharbor_harbor | 0 – 2.15.0 | — |
| harbor | harbor | 0.1.0 – 2.15.0 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect use of hard-coded/default credentials against the GoHarbor Harbor web UI on versions 2.15.0 and below ↗
- ·No public exploit is currently available and no fix exists as of the published dates; affected packages include cpe:2.3:a:linuxfoundation:harbor and github.com/goharbor/harbor on GoLang, Linux, and Windows platforms ↗
- ·All GoHarbor Harbor deployments running version 2.15.0 or below are affected and should be reviewed for default credential exposure on the web UI ↗
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Harbor allows the use of the default password for web UI login in github.com/goharbor/harbor
osv·2026-03-26
CVE-2026-4404 Harbor allows the use of the default password for web UI login in github.com/goharbor/harbor
Harbor allows the use of the default password for web UI login in github.com/goharbor/harbor
Harbor allows the use of the default password for web UI login in github.com/goharbor/harbor
OSV
Harbor allows the use of the default password for web UI login
osv·2026-03-23
CVE-2026-4404 [CRITICAL] Harbor allows the use of the default password for web UI login
Harbor allows the use of the default password for web UI login
Use of hard coded credentials in GoHarbor Harbor version 2.15.0 and below, allows attackers to use the default password and gain access to the web UI.
GHSA
Harbor allows the use of the default password for web UI login
ghsa·2026-03-23
CVE-2026-4404 [CRITICAL] CWE-1393 Harbor allows the use of the default password for web UI login
Harbor allows the use of the default password for web UI login
Use of hard coded credentials in GoHarbor Harbor version 2.15.0 and below, allows attackers to use the default password and gain access to the web UI.
No detection rules found.
No public exploits indexed.
Hackernews
⚡ Weekly Recap: Telecom Sleeper Cells, LLM Jailbreaks, Apple Forces U.K. Age Checks and More
blogs_hackernews·2026-03-30·CVSS 9.3
[CRITICAL] ⚡ Weekly Recap: Telecom Sleeper Cells, LLM Jailbreaks, Apple Forces U.K. Age Checks and More
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## ⚡ Weekly Recap: Telecom Sleeper Cells, LLM Jailbreaks, Apple Forces U.K. Age Checks and More
Some weeks are loud. This one was quieter but not in a good way. Long-running operations are finally hitting courtrooms, old attack methods are showing up in new places, and research that stopped being theoretical right around the time defenders stopped paying attention.
There's a bit of everything this week. Persistence plays, legal wins, influence ops, and at least one thing that looks boring until you see what it connects to.
All of it below. Let's go.
## ⚡ Threat of the Week
Citrix Flaw Comes Under Active Exploitation — A cr
Wiz
CVE-2026-4404 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.7
CVE-2026-4404 [HIGH] CVE-2026-4404 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-4404 :
Harbor vulnerability analysis and mitigation
Use of hard coded credentials in GoHarbor Harbor version 2.15.0 and below, allows attackers to use the default password and gain access to the web UI.
Source : NVD
## 9.4
Score
Published March 23, 2026
Severity CRITICAL
CNA Score 9.4
Affected Technologies
Harbor
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 17.3
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
cpe:2.3:a:linuxfoundation:harbor
github.com/goharbor/harbor
Sources
NVD
GoLang Severity CRITICAL No Fix Added at: Mar 26, 2026
Linux Severity CRITICAL No Fix Added at: Mar 29, 2026
Windows Severity CRITICAL No Fix Added at: Mar 29, 2026
https://cwe.mitre.org/data/definitions/1393.htmlhttps://github.com/goharbor/harbor/issues/1937https://github.com/goharbor/harbor/pull/22751https://goharbor.io/docs/1.10/install-config/run-installer-script/#:~:text=If%20you%20did%20not%20change%20them%20in%20harbor.yml,%20the%20default%20administrator%20username%20and%20password%20are%20admin%20and%20Harbor12345https://www.kb.cert.org/vuls/id/577436
2026-03-23
Published