CVE-2026-4404 — Vulnetix

CVE-2026-4404 PUBLISHED CVSS 9.399999618530273 CRITICAL

GoHarbor Harbor is an OCI-compliant open-source container registry widely adopted, especially in cloud-native environments. It stores, signs, and manages container images. CVE-2026-4404 represents a critical vulnerability (CVSS score of 9.4) found in GoHarbor versions 2.15.0 and below that allows attackers to leverage a default, hardcoded password to gain unauthorized access to the application’s web UI. The core issue is the use of hardcoded credentials within GoHarbor Harbor. Specifically, a default password is embedded in the application’s code for versions 2.15.0 and earlier. This isn’t a bypass or an injection; it’s a known, fixed credential that an attacker can simply use. The presence of this default password means that any instance running the vulnerable versions, where this password hasn’t been changed post-installation, is susceptible to unauthorized access. Instances running versions above 2.15.0 are not affected by this vulnerability.

EPSS 0.04% · 12.8th percentile

Risk Scores

CVSS v3.1

9.399999618530273

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

EPSS Score

0.04%

12.8th percentile

Affected Products

Vendor	Product	Versions
GoHarbor	GoHarbor Harbor version 2.15.0 and below

Timeline

Mar 23, 2026 CVE Published
Mar 23, 2026 PoC Published
Mar 23, 2026 PoC Published
Mar 24, 2026 EPSS Score
Mar 24, 2026 Security Advisory
Mar 25, 2026 CVE Updated
Mar 25, 2026 EPSS Score
Mar 25, 2026 Coalition ESS Score
Mar 25, 2026 PoC Published
Mar 26, 2026 Security Advisory
Mar 29, 2026 PoC Published

References

Open in Interactive Console →