Cyber Posture

CVE-2026-4404

Critical

Published: 23 March 2026

Published
23 March 2026
Modified
24 March 2026
KEV Added
Patch
CVSS Score 9.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
EPSS Score 0.0006 18.7th percentile
Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-4404 is a critical-severity Use of Hard-coded Credentials (CWE-798) vulnerability. Its CVSS base score is 9.4 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Default Accounts (T1078.001); ranked at the 18.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and IA-5 (Authenticator Management).

Threat & Defense at a Glance

What attackers do: exploitation maps to Default Accounts (T1078.001). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

IA-5 Authenticator Management good match
prevent

Directly prohibits hard-coded authenticators and requires changing default credentials prior to first use, preventing attackers from exploiting known defaults like admin/Harbor12345.

SI-2 Flaw Remediation good match
prevent

Mandates timely remediation of identified flaws, including patching this hard-coded credentials vulnerability as provided in Harbor PR #22751.

CM-6 Configuration Settings good match
prevent

Requires establishing and enforcing secure configuration settings, such as modifying default credentials in harbor.yml during installation as per Harbor documentation.

MITRE ATT&CK Enterprise TechniquesAI

T1078.001 Default Accounts Stealth
Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
attack.mitre.org →
Why these techniques?

Hard-coded/default admin credentials (e.g., admin/Harbor12345) in the public web UI directly enable T1078.001 Default Accounts for unauthenticated remote initial access.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Use of hard coded credentials in GoHarbor Harbor version 2.15.0 and below, allows attackers to use the default password and gain access to the web UI.

Deeper analysisAI

CVE-2026-4404 involves the use of hard-coded credentials in GoHarbor Harbor versions 2.15.0 and below, enabling attackers to authenticate to the web UI using the default password. This flaw corresponds to CWE-798 (Use of Hard-coded Credentials) and CWE-1393 (Use of Default Credentials), with a CVSS v3.1 base score of 9.4 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L). The vulnerability was published on 2026-03-23.

Remote attackers require only network access, with no privileges, user interaction, or elevated complexity to exploit it. Successful exploitation provides high confidentiality and integrity impacts alongside low availability impact, allowing unauthorized access to the Harbor web UI, including default administrator privileges via credentials such as admin/Harbor12345.

Mitigation guidance from Harbor documentation emphasizes modifying default credentials in harbor.yml during installation. GitHub issue #1937 documents the problem, while pull request #22751 provides a patch. The CERT advisory VU#577436 and CWE definitions offer additional technical details on remediation.

Details

CWE(s)
CWE-798CWE-1393

Affected Products

GoHarbor Harbor
inferred from references and description; NVD did not file a CPE for this CVE

CVEs Like This One

CVE-2026-24346Shared CWE-798
CVE-2024-51547Shared CWE-798
CVE-2025-30122Shared CWE-798
CVE-2026-33784Shared CWE-1393
CVE-2026-23781Shared CWE-798
CVE-2026-27785Shared CWE-798
CVE-2026-26218Shared CWE-798
CVE-2026-25803Shared CWE-798
CVE-2026-29119Shared CWE-798
CVE-2025-2347Shared CWE-1393

References