Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
Lack of proper authorization implementation in the CashDro 3 web administration panel, version 24.01.00.26. The backend lacks authorization controls, leaving security entirely to the frontend. By modifying the binary string in the ‘Permissions’ field of the JSON response, an attacker could escalate privileges and gain full administrative access. This vulnerability allows all restrictions to be bypassed and completely compromises system management.
AnalysisAI
Authorization bypass in CashDro 3 web administration panel 24.01.00.26 allows authenticated attackers to escalate to full administrative privileges by manipulating client-side permission controls. The vulnerability stems from reliance on frontend-only authorization checks, with no backend validation of user permissions. Attackers with low-privileged accounts can modify the 'Permissions' field in JSON responses to grant themselves unrestricted access to cash management system controls. INCIBE-CERT has confirmed vendor patch availability, though EPSS data is not yet available for this recent CVE.
Technical ContextAI
CashDro 3 is a cash management system with web-based administration. This vulnerability exploits CWE-862 (Missing Authorization), where the application fails to implement server-side permission checks. The CVSS 4.0 vector indicates network-accessible exploitation requiring low privileges but no user interaction (AV:N/AC:L/PR:L/UI:N). The backend API accepts and processes requests without validating whether the authenticated user possesses the necessary authorization for privileged operations. By intercepting and modifying the binary permission string in JSON API responses before they reach the browser, an attacker can inject administrative permissions that the backend will honor in subsequent requests. This represents a fundamental architectural flaw where security policy enforcement occurs only in the presentation layer rather than the business logic tier, violating defense-in-depth principles for authentication and authorization systems.
RemediationAI
Apply the vendor-released security patch available from CashDro according to the INCIBE-CERT advisory at https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-cashdro-3. The advisory provides specific patch versions and installation procedures for CashDro 3 systems. Until patching is completed, implement network-level access controls to restrict web administration panel access to trusted management networks only, blocking internet-facing exposure entirely. Deploy web application firewall rules to detect and block API requests containing modified permission fields, though this provides limited protection against determined attackers who can bypass client-side controls. Audit all user accounts with existing access to the administration panel, removing unnecessary accounts and enforcing principle of least privilege for remaining users. Review system logs for suspicious privilege escalation attempts, focusing on accounts that accessed administrative functions inconsistent with their assigned roles. Monitor the ITResIT Labs technical analysis at https://labs.itresit.es/2026/05/07/cashdro-vulnerabilities-from-pentest-to-stealing-money/ for additional exploitation indicators and detection signatures. Note that access restrictions and monitoring provide defense-in-depth but cannot eliminate the core vulnerability requiring backend authorization enforcement.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-28591
GHSA-j4mr-3f43-qwmq