Home

Description

Lack of proper authorization implementation in the CashDro 3 web administration panel, version 24.01.00.26. The backend lacks authorization controls, leaving security entirely to the frontend. By modifying the binary string in the ‘Permissions’ field of the JSON response, an attacker could escalate privileges and gain full administrative access. This vulnerability allows all restrictions to be bypassed and completely compromises system management.

PUBLISHED Reserved 2026-05-07 | Published 2026-05-08 | Updated 2026-05-08 | Assigner INCIBE




HIGH: 8.6CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Problem types

CWE-862: Missing Authorization

Product status

Default status
unaffected

24.01.00.26
affected

Credits

Pedro Gabaldón Juliá finder

Javier Medina Munuera finder

David Montoro Aguilera finder

Javier Ayala Ortín finder

Pedro Castillo Torío finder

References

labs.itresit.es/...abilities-from-pentest-to-stealing-money/ exploit

www.incibe.es/...es/aviso/multiple-vulnerabilities-cashdro-3 patch

labs.itresit.es/...abilities-from-pentest-to-stealing-money/

cve.org (CVE-2026-8077)

nvd.nist.gov (CVE-2026-8077)

Download JSON