CVE-2026-8076

Vulnerability

Overview

The CashDro 3 web administration panel (version 24.01.00.26) suffers from a critical weakness in its authentication mechanism. The platform allows the use of numeric PINs for user credentials, a design choice made to maintain compatibility with POS software integrations dating back to 2012 [1][2]. This reliance on short, numeric-only passwords significantly reduces the credential space, making brute-force attacks highly feasible.

Exploitation

Vector

An attacker can exploit this vulnerability by performing a brute-force attack against a user's PIN without any account lockout mechanism [1][2]. The system does not lock the account after repeated failed login attempts, allowing an attacker to try all possible PIN combinations until the correct one is found. No authentication is required to initiate the attack, and it can be carried out over the network [2]. /a].

Impact

Successful exploitation grants an attacker unauthorized access to the web administration panel. With this access, an attacker can view and modify confidential configuration settings, potentially compromising the entire system [1][2]. The advisory notes that this could lead to unauthorized cash extraction from the physical smart drawer [1].

Mitigation

As of the publication date (2026-05-08), INCIBE has coordinated disclosure of this vulnerability [2]. Users are advised to apply any available patches from CashDro and to implement network segmentation and strong password policies where possible. The vendor has not yet released a public patch at the time of this writing.