[Update 08/05/2026] Multiple vulnerabilities in CashDro 3

Posted date 07/05/2026

Identificador

INCIBE-2026-331

Importance

5 - Critical

Affected Resources

CashDro 3 Administration Panel: Version 24.01.00.26.

Description

INCIBE has coordinated the disclosure of two vulnerabilities, one critical and one high severity, affecting the web administration panel of CashDro 3, a smart cash management drawer. The vulnerabilities were discovered by Pedro Gabaldón Juliá, Javier Medina Munuera, David Montoro Aguilera, Javier Ayala Ortín, and Pedro Castillo Torío.

These vulnerabilities have been assigned the following codes, CVSS v4.0 base score, CVSS vector, and CWE vulnerability type for each vulnerability:

CVE-2026-8076: CVSS v4.0: 9.1 | CVSS AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N | CWE-1391
CVE-2026-8077: CVSS v4.0: 8.8 | CVSS AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N | CWE-862

Solution

[Update 08/05/2026]

The new versions of Cashdro support alphanumeric PINs, thereby addressing the first vulnerability.

As for the second vulnerability, the fix has been incorporated into the supported versions of the product. The currently supported version, which is required for the update, is 26.01.00.16. Previous versions have been removed from the distribution repository for security reasons.

Detail

CVE-2026-8076: weak credentials in the CashDro 3 web administration panel, version 24.01.00.26, where the platform allows the use of numeric PINs for user authentication. The system supports the use of PIN-based credentials, maintaining compatibility with POS software integrations deployed since 2012. This could allow an attacker to easily perform a brute-force attack against a user and gain access by trying different PINs without the account being locked. Successful exploitation of this vulnerability could result in unauthorized access to confidential configuration settings, compromising the security of the system.
CVE-2026-8077: lack of proper authorization implementation in the CashDro 3 web administration panel, version 24.01.00.26. The backend lacks authorization controls, leaving security entirely to the frontend. By modifying the binary string in the ‘Permissions’ field of the JSON response, an attacker could escalate privileges and gain full administrative access. This vulnerability allows all restrictions to be bypassed and completely compromises system management.

CVE

Identificador CVE	Severidad	Explotación	Fabricante
CVE-2026-8076	Crítica	No	CashDro
CVE-2026-8077	Alta	No	CashDro

References list

CashDro - Gestión de efectivo

Etiquetas