CVE 8.6 HIGH

Weak credentials vulnerability in the CashDro 3 web administration panel_CVE-2026-8077

May 8, 2026 invoker category_cve

8.6 / 10

HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Description

Lack of proper authorization implementation in the CashDro 3 web administration panel, version 24.01.00.26. The backend lacks authorization controls, leaving security entirely to the frontend. By modifying the binary string in the ‘Permissions’ field of the JSON response, an attacker could escalate privileges and gain full administrative access. This vulnerability allows all restrictions to be bypassed and completely compromises system management.

AI Analysis

Lack of proper authorization in CashDro 3 web administration panel allows privilege escalation and full administrative access

Basic Information

ID CVE-2026-8077

Source INCIBE

Published May 8, 2026 at 12:12

Modified May 8, 2026 at 12:13

Affected Product

Vendor CashDro

Product CashDro 3 Administration Panel

Version 24.01.00.26

Affected Versions CashDro CashDro 3 Administration Panel 24.01.00.26

CWE Classification

CWE-862

AI Assessment

AI Score 8.6 / 10

AI Severity High

Vendor CashDro

Product CashDro 3 Administration Panel

Version 24.01.00.26

References

{
    "lastseen": "",
    "description": "Lack of proper authorization implementation in the CashDro 3 web administration panel, version 24.01.00.26. The backend lacks authorization controls, leaving security entirely to the frontend. By modifying the binary string in the \u2018Permissions\u2019 field of the JSON response, an attacker could escalate privileges and gain full administrative access. This vulnerability allows all restrictions to be bypassed and completely compromises system management.",
    "published": "2026-05-08T12:12:55.796Z",
    "modified": "2026-05-08T12:13:56.514Z",
    "type": "cve",
    "title": "Weak credentials vulnerability in the CashDro 3 web administration panel",
    "source": "INCIBE",
    "references": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-cashdro-3\nhttps://labs.itresit.es/2026/05/07/cashdro-vulnerabilities-from-pentest-to-stealing-money/",
    "id": "CVE-2026-8077",
    "bulletinFamily": "",
    "cwe": [
        "CWE-862"
    ],
    "cvelist": null,
    "sourceData": "CashDro CashDro 3 Administration Panel 24.01.00.26",
    "sourceHref": "",
    "cvss": {
        "score": 8.6,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "CashDro 3 Administration Panel",
    "version": "24.01.00.26",
    "vendor": "CashDro",
    "ai_description": "Lack of proper authorization in CashDro 3 web administration panel allows privilege escalation and full administrative access",
    "ai_severity": "High",
    "ai_vendor": "CashDro",
    "ai_product": "CashDro 3 Administration Panel",
    "ai_version": "24.01.00.26",
    "ai_score": 8.6
}

💭 Join the Security Discussion ❌ Cancel Reply