Weak credentials vulnerability in the CashDro 3 web administration panel
Summary
| CVE | CVE-2026-8077 |
|---|---|
| State | PUBLISHED |
| Assigner | INCIBE |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-05-08 13:16:49 UTC |
| Updated | 2026-05-08 15:51:08 UTC |
| Description | Lack of proper authorization implementation in the CashDro 3 web administration panel, version 24.01.00.26. The backend lacks authorization controls, leaving security entirely to the frontend. By modifying the binary string in the ‘Permissions’ field of the JSON response, an attacker could escalate privileges and gain full administrative access. This vulnerability allows all restrictions to be bypassed and completely compromises system management. |
Risk And Classification
Primary CVSS: v4.0 8.6 HIGH from [email protected]
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS: 0.000310000 probability, percentile 0.091850000 (date 2026-05-12)
Problem Types: CWE-862 | CWE-862 CWE-862: Missing Authorization
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 4.0 | [email protected] | Secondary | 8.6 | HIGH | CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/C... |
| 4.0 | CNA | CVSS | 8.6 | HIGH | CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N |
CVSS v4.0 Breakdown
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | CashDro | CashDro 3 Administration Panel | affected 24.01.00.26 | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| labs.itresit.es/2026/05/07/cashdro-vulnerabilities-from-pentest-to-stealing-m... | 134c704f-9b21-4f2e-91b3-4a467353bcc0 | labs.itresit.es | |
| www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-cashdro-3 | [email protected] | www.incibe.es | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
CNA: Pedro Gabaldón Juliá (en)
CNA: Javier Medina Munuera (en)
CNA: David Montoro Aguilera (en)
CNA: Javier Ayala Ortín (en)
CNA: Pedro Castillo Torío (en)
Additional Advisory Data
Solutions
CNA: The fix has been incorporated into the supported versions of the product. The currently supported version, which is required for the update, is 26.01.00.16. Previous versions have been removed from the distribution repository for security reasons.