CashDro 3 Web Admin Panel Brute-Force and Authorization Bypass (CVE-2026-8076/8077)

[Update 08/05/2026] CashDro 3 Multiple Vulnerabilities Vulnerability Overview INCIBE-CERT disclosed two vulnerabilities in the CashDro 3 smart cash management drawer web management panel: CVE-2026-8076 (Severity: High): Weak credentials vulnerability. Allows attackers to access accounts through brute-force attacks by attempting different PIN codes. CVE-2026-8077 (Severity: High): Lack of authorization controls. Attackers can bypass restrictions and take full control of the system by modifying binary strings in JSON responses. Scope Affected Resources: CashDro 3 Management Panel Affected Versions: 24.01.00.26 Remediation Regarding CVE-2026-8076: The system supports PIN-based credentials and maintains compatibility with POS software deployed since 2012. Regarding CVE-2026-8077: The backend lacks authorization controls, causing security to rely entirely on the frontend. Attackers can elevate privileges and obtain full administrative access by modifying binary strings. Vulnerability Details CVE-2026-8076 CVSS v4.0 Score: 9.1 CVSS Vector: AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/SC:N/S:N CWE: CWE-1391 Description: In the CashDro 3 web management panel, version 24.01.00.26, user authentication is permitted using numeric PIN codes. The system supports PIN-based credentials and maintains compatibility with POS software deployed since 2012. This may allow attackers to perform simple brute-force attacks against users, gaining account access by trying different PIN codes without triggering account lockouts. Successful exploitation of this vulnerability could lead to unauthorized access to confidential configuration settings, compromising system security. CVE-2026-8077 CVSS v4.0 Score: 8.8 CVSS Vector: AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/SC:N/S:N CWE: CWE-862 Description: The CashDro 3 web management panel, version 24.01.00.26, lacks proper authorization implementation. The backend does not enforce authorization controls, meaning security relies entirely on the frontend. By modifying the binary string within the "Permissions" field in the JSON response, attackers can elevate privileges and obtain full administrative access. This vulnerability allows for the bypass of all restrictions, resulting in complete compromise of system management.

Goal Reached Thanks to every supporter — we hit 100%!

CashDro 3 Web Admin Panel Brute-Force and Authorization Bypass (CVE-2026-8076/8077)