Harbor allows the use of the default password for web UI login

GHSA-hj7x-hmf2-hc2p · CVE-2026-4404 · GO-2026-4845

Published Mar 23, 2026 · Modified Mar 26, 2026

Description

Use of hard coded credentials in GoHarbor Harbor version 2.15.0 and below, allows attackers to use the default password and gain access to the web UI.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-4404
WEB https://github.com/goharbor/harbor/issues/1937
WEB https://github.com/goharbor/harbor/pull/22751
PACKAGE https://github.com/goharbor/harbor
WEB https://goharbor.io/docs/1.10/install-config/run-installer-script/#:~:text=If%20you%20did%20not%20change%20them%20in%20harbor.yml,%20the%20default%20administrator%20username%20and%20password%20are%20admin%20and%20Harbor12345
WEB https://www.kb.cert.org/vuls/id/577436

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes