VDB

CVE-2026-4404

CVE-2026-4404 PUBLISHED CVSS 9.399999618530273 CRITICAL

GoHarbor Harbor is an OCI-compliant open-source container registry widely adopted, especially in cloud-native environments. It stores, signs, and manages container images. CVE-2026-4404 represents a critical vulnerability (CVSS score of 9.4) found in GoHarbor versions 2.15.0 and below that allows attackers to leverage a default, hardcoded password to gain unauthorized access to the application’s web UI. The core issue is the use of hardcoded credentials within GoHarbor Harbor. Specifically, a default password is embedded in the application’s code for versions 2.15.0 and earlier. This isn’t a bypass or an injection; it’s a known, fixed credential that an attacker can simply use. The presence of this default password means that any instance running the vulnerable versions, where this password hasn’t been changed post-installation, is susceptible to unauthorized access. Instances running versions above 2.15.0 are not affected by this vulnerability.

EPSS 0.06% · 19.8th percentile

Risk Scores

CVSS 3.1
9.399999618530273
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
EPSS Score
0.06%
19.8th percentile

Affected Products

VendorProductVersions
GoHarborGoHarbor Harbor version 2.15.0 and below

Exploit Intelligence

…and 34 more exploits

Timeline

  • Mar 23, 2026 CVE Published
  • Mar 23, 2026 PoC Published
  • Mar 23, 2026 PoC Published
  • Mar 24, 2026 EPSS Score
  • Mar 24, 2026 Security Advisory
  • Mar 25, 2026 CVE Updated
  • Mar 25, 2026 EPSS Score
  • Mar 25, 2026 Coalition ESS Score
  • Mar 25, 2026 PoC Published
  • Mar 26, 2026 Security Advisory
  • Mar 29, 2026 PoC Published
  • May 18, 2026 EPSS Score

References

Open in Interactive Console →
$ Console Community · 100/wk Open console ›