Home

Description

Weak credentials in the CashDro 3 web administration panel, version 24.01.00.26, where the platform allows the use of numeric PINs for user authentication. The system supports the use of PIN-based credentials, maintaining compatibility with POS software integrations deployed since 2012. This could allow an attacker to easily perform a brute-force attack against a user and gain access by trying different PINs without the account being locked. Successful exploitation of this vulnerability could result in unauthorized access to confidential configuration settings, compromising the security of the system.

PUBLISHED Reserved 2026-05-07 | Published 2026-05-08 | Updated 2026-05-08 | Assigner INCIBE




CRITICAL: 9.3CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Problem types

CWE-1391: Use of Weak Credentials

Product status

Default status
unaffected

24.01.00.26
affected

Credits

Pedro Gabaldón Juliá finder

Javier Medina Munuera finder

David Montoro Aguilera finder

Javier Ayala Ortín finder

Pedro Castillo Torío finder

References

www.incibe.es/...es/aviso/multiple-vulnerabilities-cashdro-3 patch

labs.itresit.es/...abilities-from-pentest-to-stealing-money/

cve.org (CVE-2026-8076)

nvd.nist.gov (CVE-2026-8076)

Download JSON