Cyber Resilience

CVE-2026-4404

Critical

Published: 23 March 2026

Published
23 March 2026
Modified
24 March 2026
KEV Added
Patch
CVSS Score v3.1 9.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
EPSS Score 0.0050 38.8th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-4404 is a critical-severity Use of Hard-coded Credentials (CWE-798) vulnerability. Its CVSS base score is 9.4 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Default Accounts (T1078.001); ranked at the 38.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and IA-5 (Authenticator Management).

Deeper analysis

CVE-2026-4404 involves the use of hard-coded credentials in GoHarbor Harbor versions 2.15.0 and below, enabling attackers to authenticate to the web UI using the default password. This flaw corresponds to CWE-798 (Use of Hard-coded Credentials) and CWE-1393 (Use of Default Credentials), with a CVSS v3.1 base score of 9.4 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L). The vulnerability was published on 2026-03-23.

Remote attackers require only network access, with no privileges, user interaction, or elevated complexity to exploit it. Successful exploitation provides high confidentiality and integrity impacts alongside low availability impact, allowing unauthorized access to the Harbor web UI, including default administrator privileges via credentials such as admin/Harbor12345.

Mitigation guidance from Harbor documentation emphasizes modifying default credentials in harbor.yml during installation. GitHub issue #1937 documents the problem, while pull request #22751 provides a patch. The CERT advisory VU#577436 and CWE definitions offer additional technical details on remediation.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Use of hard coded credentials in GoHarbor Harbor version 2.15.0 and below, allows attackers to use the default password and gain access to the web UI.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1078.001 Default Accounts Stealth
Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
Why these techniques?

Hard-coded/default admin credentials (e.g., admin/Harbor12345) in the public web UI directly enable T1078.001 Default Accounts for unauthenticated remote initial access.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-26218Shared CWE-798
CVE-2025-2347Shared CWE-1393
CVE-2026-22900Shared CWE-798
CVE-2024-51547Shared CWE-798
CVE-2024-46433Shared CWE-798
CVE-2019-25322Shared CWE-798
CVE-2026-27785Shared CWE-798
CVE-2020-37135Shared CWE-798
CVE-2026-24346Shared CWE-798
CVE-2026-25803Shared CWE-798

Affected Assets

GoHarbor Harbor
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly prohibits hard-coded authenticators and requires changing default credentials prior to first use, preventing attackers from exploiting known defaults like admin/Harbor12345.

prevent

Mandates timely remediation of identified flaws, including patching this hard-coded credentials vulnerability as provided in Harbor PR #22751.

prevent

Requires establishing and enforcing secure configuration settings, such as modifying default credentials in harbor.yml during installation as per Harbor documentation.

References