CVE-2026-4404 PUBLISHED

Use of hard coded credentials in GoHarbor Harbor

Assigner: certcc
Reserved: 18.03.2026 Published: 23.03.2026 Updated: 23.03.2026

Use of hard coded credentials in GoHarbor Harbor version 2.15.0 and below, allows attackers to use the default password and gain access to the web UI.

Product Status

Vendor	Harbor
Product	Harbor
Versions	affected from 0.1.0 to 2.15.0 (incl.)

References

https://goharbor.io/docs/1.10/install-config/run-installer-script/#:~:text=If%20you%20did%20not%20change%20them%20in%20harbor.yml,%20the%20default%20administrator%20username%20and%20password%20are%20admin%20and%20Harbor12345
https://github.com/goharbor/harbor/issues/1937
https://cwe.mitre.org/data/definitions/1393.html
https://github.com/goharbor/harbor/pull/22751

Problem Types

CWE-798 Use of Hard-coded Credentials