Skip to main content

CashDro 3 CVE-2026-8077

| EUVDEUVD-2026-28591 HIGH
Missing Authorization (CWE-862)
2026-05-08 INCIBE GHSA-j4mr-3f43-qwmq
8.6
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.6 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
Analysis Generated
May 08, 2026 - 14:00 vuln.today
CVSS changed
May 08, 2026 - 13:22 NVD
8.6 (HIGH)
CVE Published
May 08, 2026 - 12:12 nvd
HIGH 8.6

DescriptionCVE.org

Lack of proper authorization implementation in the CashDro 3 web administration panel, version 24.01.00.26. The backend lacks authorization controls, leaving security entirely to the frontend. By modifying the binary string in the ‘Permissions’ field of the JSON response, an attacker could escalate privileges and gain full administrative access. This vulnerability allows all restrictions to be bypassed and completely compromises system management.

AnalysisAI

Authorization bypass in CashDro 3 web administration panel 24.01.00.26 allows authenticated attackers to escalate to full administrative privileges by manipulating client-side permission controls. The vulnerability stems from reliance on frontend-only authorization checks, with no backend validation of user permissions. Attackers with low-privileged accounts can modify the 'Permissions' field in JSON responses to grant themselves unrestricted access to cash management system controls. INCIBE-CERT has confirmed vendor patch availability, though EPSS data is not yet available for this recent CVE.

Technical ContextAI

CashDro 3 is a cash management system with web-based administration. This vulnerability exploits CWE-862 (Missing Authorization), where the application fails to implement server-side permission checks. The CVSS 4.0 vector indicates network-accessible exploitation requiring low privileges but no user interaction (AV:N/AC:L/PR:L/UI:N). The backend API accepts and processes requests without validating whether the authenticated user possesses the necessary authorization for privileged operations. By intercepting and modifying the binary permission string in JSON API responses before they reach the browser, an attacker can inject administrative permissions that the backend will honor in subsequent requests. This represents a fundamental architectural flaw where security policy enforcement occurs only in the presentation layer rather than the business logic tier, violating defense-in-depth principles for authentication and authorization systems.

RemediationAI

Apply the vendor-released security patch available from CashDro according to the INCIBE-CERT advisory at https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-cashdro-3. The advisory provides specific patch versions and installation procedures for CashDro 3 systems. Until patching is completed, implement network-level access controls to restrict web administration panel access to trusted management networks only, blocking internet-facing exposure entirely. Deploy web application firewall rules to detect and block API requests containing modified permission fields, though this provides limited protection against determined attackers who can bypass client-side controls. Audit all user accounts with existing access to the administration panel, removing unnecessary accounts and enforcing principle of least privilege for remaining users. Review system logs for suspicious privilege escalation attempts, focusing on accounts that accessed administrative functions inconsistent with their assigned roles. Monitor the ITResIT Labs technical analysis at https://labs.itresit.es/2026/05/07/cashdro-vulnerabilities-from-pentest-to-stealing-money/ for additional exploitation indicators and detection signatures. Note that access restrictions and monitoring provide defense-in-depth but cannot eliminate the core vulnerability requiring backend authorization enforcement.

Share

CVE-2026-8077 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy