Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Multiple vulnerabilities in CashDro 3

Posted date 07/05/2026
Identificador
INCIBE-2026-331
Importance
5 - Critical
Affected Resources

CashDro 3 Administration Panel: Version 24.01.00.26.

Description

INCIBE has coordinated the disclosure of two vulnerabilities, one critical and one high severity, affecting the web administration panel of CashDro 3, a smart cash management drawer. The vulnerabilities were discovered by Pedro Gabaldón Juliá, Javier Medina Munuera, David Montoro Aguilera, Javier Ayala Ortín, and Pedro Castillo Torío.

These vulnerabilities have been assigned the following codes, CVSS v4.0 base score, CVSS vector, and CWE vulnerability type for each vulnerability:

  • CVE-2026-8076: CVSS v4.0: 9.1 | CVSS  AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N | CWE-1391
  • CVE-2026-8077: CVSS v4.0: 8.8 | CVSS  AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N | CWE-862
Solution

The new version of Cashdro supports alphanumeric PINs, thereby addressing the first vulnerability.

Detail
  • CVE-2026-8076: weak credentials in the CashDro 3 web administration panel, version 24.01.00.26, where the platform relies exclusively on numeric PINs for user authentication. The system requires the use of PIN-based credentials that cannot be strengthened or replaced with complex passwords. This could allow an attacker to easily perform a brute-force attack against a user and gain access by trying different PINs without the account being locked. Successful exploitation of this vulnerability could result in unauthorized access to sensitive configuration settings, compromising the security of the system.
  • CVE-2026-8077: lack of proper authorization implementation in the CashDro 3 web administration panel, version 24.01.00.26. The backend lacks authorization controls, leaving security entirely to the frontend. By modifying the binary string in the ‘Permissions’ field of the JSON response, an attacker could escalate privileges and gain full administrative access. This vulnerability allows all restrictions to be bypassed and completely compromises system management.
CVE
Identificador CVE Severidad Explotación Fabricante
CVE-2026-8076 Crítica No CashDro
CVE-2026-8077 Alta No CashDro
References list
CashDro - Gestión de efectivo
Etiquetas