CVE-2026-8077

HIGH

Weak credentials vulnerability in the CashDro 3 web administration panel

Title source: cna

Description

Lack of proper authorization implementation in the CashDro 3 web administration panel, version 24.01.00.26. The backend lacks authorization controls, leaving security entirely to the frontend. By modifying the binary string in the ‘Permissions’ field of the JSON response, an attacker could escalate privileges and gain full administrative access. This vulnerability allows all restrictions to be bypassed and completely compromises system management.

References (2)

Core 2

Core References

Patch patch

https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-cashdro-3

https://labs.itresit.es/2026/05/07/cashdro-vulnerabilities-from-pentest-to-stealing-money/

Scores

CVSS v4 8.6

EPSS 0.0025

EPSS Percentile 15.9%

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact total

Details

CWE

CWE-862

Status published

Products (1)

CashDro/CashDro 3 Administration Panel 24.01.00.26

Published May 08, 2026

Tracked Since May 08, 2026