{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4404", "assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b", "state": "PUBLISHED", "assignerShortName": "certcc", "dateReserved": "2026-03-18T19:43:57.063Z", "datePublished": "2026-03-23T14:47:13.396Z", "dateUpdated": "2026-03-24T15:25:10.390Z"}, "containers": {"cna": {"title": "Use of hard coded credentials in GoHarbor Harbor", "descriptions": [{"lang": "en", "value": "Use of hard coded credentials in GoHarbor Harbor version 2.15.0 and below, allows attackers to use the default password and gain access to the web UI."}], "source": {"discovery": "UNKNOWN"}, "affected": [{"vendor": "Harbor", "product": "Harbor", "versions": [{"status": "affected", "version": "0.1.0", "lessThanOrEqual": "2.15.0", "versionType": "custom"}]}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-798 Use of Hard-coded Credentials"}]}], "references": [{"url": "https://goharbor.io/docs/1.10/install-config/run-installer-script/#:~:text=If%20you%20did%20not%20change%20them%20in%20harbor.yml,%20the%20default%20administrator%20username%20and%20password%20are%20admin%20and%20Harbor12345"}, {"url": "https://github.com/goharbor/harbor/issues/1937"}, {"url": "https://cwe.mitre.org/data/definitions/1393.html"}, {"url": "https://github.com/goharbor/harbor/pull/22751"}], "x_generator": {"engine": "VINCE 3.0.34", "env": "prod", "origin": "https://cveawg.mitre.org/api/cve/CVE-2026-4404"}, "providerMetadata": {"orgId": "37e5125f-f79b-445b-8fad-9564f167944b", "shortName": "certcc", "dateUpdated": "2026-03-23T14:47:13.396Z"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-798", "lang": "en", "description": "CWE-798 Use of Hard-coded Credentials"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-1393", "lang": "en", "description": "CWE-1393 Use of Default Password"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.4, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-23T15:24:29.261835Z", "id": "CVE-2026-4404", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-23T15:25:52.414Z"}}, {"title": "CVE Program Container", "references": [{"url": "https://www.kb.cert.org/vuls/id/577436"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-03-24T15:25:10.390Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.kb.cert.org/vuls/id/577436"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-03-24T15:25:10.390Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.4, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-4404", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-23T15:24:29.261835Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-798", "description": "CWE-798 Use of Hard-coded Credentials"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-1393", "description": "CWE-1393 Use of Default Password"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-23T15:23:49.734Z"}}], "cna": {"title": "Use of hard coded credentials in GoHarbor Harbor", "source": {"discovery": "UNKNOWN"}, "affected": [{"vendor": "Harbor", "product": "Harbor", "versions": [{"status": "affected", "version": "0.1.0", "versionType": "custom", "lessThanOrEqual": "2.15.0"}]}], "references": [{"url": "https://goharbor.io/docs/1.10/install-config/run-installer-script/#:~:text=If%20you%20did%20not%20change%20them%20in%20harbor.yml,%20the%20default%20administrator%20username%20and%20password%20are%20admin%20and%20Harbor12345"}, {"url": "https://github.com/goharbor/harbor/issues/1937"}, {"url": "https://cwe.mitre.org/data/definitions/1393.html"}, {"url": "https://github.com/goharbor/harbor/pull/22751"}], "x_generator": {"env": "prod", "engine": "VINCE 3.0.34", "origin": "https://cveawg.mitre.org/api/cve/CVE-2026-4404"}, "descriptions": [{"lang": "en", "value": "Use of hard coded credentials in GoHarbor Harbor version 2.15.0 and below, allows attackers to use the default password and gain access to the web UI."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-798 Use of Hard-coded Credentials"}]}], "providerMetadata": {"orgId": "37e5125f-f79b-445b-8fad-9564f167944b", "shortName": "certcc", "dateUpdated": "2026-03-23T14:47:13.396Z"}}}, "cveMetadata": {"cveId": "CVE-2026-4404", "state": "PUBLISHED", "dateUpdated": "2026-03-24T15:25:10.390Z", "dateReserved": "2026-03-18T19:43:57.063Z", "assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b", "datePublished": "2026-03-23T14:47:13.396Z", "assignerShortName": "certcc"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Use of hard coded credentials in GoHarbor Harbor version 2.15.0 and below, allows attackers to use the default password and gain access to the web UI."}, {"lang": "es", "value": "Uso de credenciales codificadas de forma r\u00edgida en GoHarbor Harbor versi\u00f3n 2.15.0 y anteriores, permite a los atacantes usar la contrase\u00f1a predeterminada y obtener acceso a la interfaz de usuario web."}], "id": "CVE-2026-4404", "lastModified": "2026-03-24T16:16:36.507", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 9.4, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.5, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-23T15:16:35.403", "references": [{"source": "cret@cert.org", "url": "https://cwe.mitre.org/data/definitions/1393.html"}, {"source": "cret@cert.org", "url": "https://github.com/goharbor/harbor/issues/1937"}, {"source": "cret@cert.org", "url": "https://github.com/goharbor/harbor/pull/22751"}, {"source": "cret@cert.org", "url": "https://goharbor.io/docs/1.10/install-config/run-installer-script/#:~:text=If%20you%20did%20not%20change%20them%20in%20harbor.yml,%20the%20default%20administrator%20username%20and%20password%20are%20admin%20and%20Harbor12345"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://www.kb.cert.org/vuls/id/577436"}], "sourceIdentifier": "cret@cert.org", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-798"}, {"lang": "en", "value": "CWE-1393"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0.1.0,2.15.0]"}}], "enrichment": {"confidence": 93.0, "confidence_source": "matching", "scores": [{"score": 93.0, "source": "matching"}]}, "original": {"product": "Harbor", "source": "cna", "vendor": "Harbor"}, "product": "harbor", "vendor": "goharbor"}], "analysis": {"en": {"generated_at": "2026-03-23T17:51:43.463731+00:00", "value": {"mitigation_remediation": ["Upgrade Harbor to a version where the hard\u2011coded credentials are removed (e.g., 2.15.1 or later).", "If upgrading is not immediately possible, modify the admin password in the harbor.yml configuration file or through the web UI, and enforce the change to a strong password.", "After changing the credential, verify that the default admin credentials no longer authenticate successfully.", "Restrict network access to the Harbor UI to only trusted hosts or internal network segments, and enable multi\u2011factor authentication if available."], "summary": {"action": "Immediate patch", "impact": "Unauthorized administrative access via default credentials"}, "threat_synthesis": {"affected_systems": "The flaw affects Harbor 2.15.0 and all earlier releases. Any deployment that has not been updated beyond 2.15.0 and that has not configured a custom administrator password is at risk. This includes installations of Harbor deployed from the open\u2011source project or from Harbor Inc.; the vulnerability is product\u2011wide regardless of hosting environment.", "description_and_impact": "Harbor contains hard\u2011coded default administrator credentials that are deployed unchanged when the product is installed. An attacker who can reach the web interface can use the username admin and the password Harbor12345 to authenticate as an administrator, gaining full control over the registry, including the capability to upload, delete, or modify container images and to alter configuration settings.", "risk_and_exploitability": "The CVSS score of 9.4 classifies the issue as critical. The exploit requires only network access to the Harbor UI and no special configuration or privilege escalation. The absence of a KEV listing does not reduce the risk, as the credentials are trivial to guess and the vulnerability is well documented. An attacker who gains administrative access can compromise the integrity and confidentiality of all container artifacts in the registry."}}}}, "created": "2026-03-24T10:33:43.050219+00:00", "updated": "2026-03-25T21:27:58.614356+00:00", "vendors": ["goharbor", "goharbor$PRODUCT$harbor"]}