Description
Weak credentials in the CashDro 3 web administration panel, version 24.01.00.26, where the platform allows the use of numeric PINs for user authentication. The system supports the use of PIN-based credentials, maintaining compatibility with POS software integrations deployed since 2012. This could allow an attacker to easily perform a brute-force attack against a user and gain access by trying different PINs without the account being locked. Successful exploitation of this vulnerability could result in unauthorized access to confidential configuration settings, compromising the security of the system.
Published: 2026-05-08
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability permits attackers to use purely numeric PINs for authentication in the CashDro 3 Administration Panel. Because the platform does not lock accounts after repeated incorrect PIN attempts, an attacker can brute‑force credentials with minimal effort. Successful authentication would grant access to confidential configuration settings and potentially allow full control of the system, thereby compromising confidentiality, integrity, and availability.

Affected Systems

CashDro, specifically the CashDro 3 Administration Panel version 24.01.00.26. Older releases may also be affected if they retain the numeric PIN functionality; updated releases that enforce alphanumeric PINs have mitigated the issue.

Risk and Exploitability

The CVSS base score of 9.3 indicates a critical severity, and while EPSS data is unavailable, the lack of a lockout policy suggests that brute‑force attacks are likely feasible. The vulnerability is exposed through the web interface, making it reachable by remote attackers. The vulnerability is not listed in CISA’s KEV catalog, but the potential impact remains high if active exploitation attempts occur.

Generated by OpenCVE AI on May 8, 2026 at 13:20 UTC.

Remediation

Vendor Solution

The new versions of Cashdro support alphanumeric PINs, thereby addressing the first vulnerability.

OpenCVE Recommended Actions

  • Upgrade CashDro to a version that enforces alphanumeric PINs for administrator accounts.
  • Implement login rate limiting or account lockout policies to prevent rapid brute‑force attempts.
  • Reconfigure administrator accounts to use strong alphanumeric passwords if possible.
  • Consider enabling multi‑factor authentication for the administration panel to add an additional security layer.

Generated by OpenCVE AI on May 8, 2026 at 13:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 08 May 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 08 May 2026 13:00:00 +0000

Type Values Removed Values Added
References

Fri, 08 May 2026 12:15:00 +0000

Type Values Removed Values Added
Description Weak credentials in the CashDro 3 web administration panel, version 24.01.00.26, where the platform allows the use of numeric PINs for user authentication. The system supports the use of PIN-based credentials, maintaining compatibility with POS software integrations deployed since 2012. This could allow an attacker to easily perform a brute-force attack against a user and gain access by trying different PINs without the account being locked. Successful exploitation of this vulnerability could result in unauthorized access to confidential configuration settings, compromising the security of the system.
Title Weak credentials vulnerability in the CashDro 3 web administration panel
First Time appeared Cashdro
Cashdro cashdro 3 Administration Panel
Weaknesses CWE-1391
CPEs cpe:2.3:a:cashdro:cashdro_3_administration_panel:24.01.00.26:*:*:*:*:*:*:*
Vendors & Products Cashdro
Cashdro cashdro 3 Administration Panel
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Cashdro Cashdro 3 Administration Panel
cve-icon MITRE

Status: PUBLISHED

Assigner: INCIBE

Published:

Updated: 2026-05-08T12:48:22.218Z

Reserved: 2026-05-07T11:13:45.869Z

Link: CVE-2026-8076

cve-icon Vulnrichment

Updated: 2026-05-08T12:48:18.618Z

cve-icon NVD

Status : Deferred

Published: 2026-05-08T12:16:29.560

Modified: 2026-05-08T15:51:08.590

Link: CVE-2026-8076

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-08T13:30:09Z

Weaknesses