CVE-2026-4404: Harbor allows the use of the default password for web UI login

March 23, 2026 (updated March 25, 2026)

Use of hard coded credentials in GoHarbor Harbor version 2.15.0 and below, allows attackers to use the default password and gain access to the web UI.

References

github.com/advisories/GHSA-hj7x-hmf2-hc2p
github.com/goharbor/harbor
github.com/goharbor/harbor/issues/1937
github.com/goharbor/harbor/pull/22751
goharbor.io/docs/1.10/install-config/run-installer-script/
nvd.nist.gov/vuln/detail/CVE-2026-4404
www.kb.cert.org/vuls/id/577436

Code Behaviors & Features

Detect and mitigate CVE-2026-4404 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →