CVE-2026-27073 identifies a security vulnerability in the Addi – Cuotas que se adaptan a ti buy-now-pay-later platform, specifically versions up to 2.0.4. The core issue is the presence of hard-coded credentials within the application, which are static usernames or passwords embedded in the software code. These credentials can be discovered through reverse engineering or code inspection, enabling attackers to bypass authentication mechanisms. The vulnerability particularly impacts the password recovery process, allowing exploitation that could lead to unauthorized account access or password resets without proper verification. This undermines the confidentiality and integrity of user accounts and sensitive financial data managed by the platform. Addi is a fintech service widely used in Latin America to facilitate installment payments, making the vulnerability critical for financial security and user trust. No public exploits have been reported yet, but the potential for abuse is high given the nature of the flaw. The absence of a CVSS score necessitates a severity assessment based on the vulnerability's characteristics, which indicate a high risk due to ease of exploitation and significant impact. Remediation requires eliminating hard-coded credentials, enhancing password recovery security, and deploying patches once released by the vendor.

The exploitation of this vulnerability could lead to unauthorized access to user accounts on the Addi platform, potentially allowing attackers to reset passwords, access personal and financial information, and perform fraudulent transactions. This compromises the confidentiality and integrity of sensitive user data and could result in financial losses for both users and the service provider. Additionally, the breach of trust could damage Addi's reputation and lead to regulatory scrutiny, especially in jurisdictions with strict data protection laws. Organizations relying on Addi for payment processing or credit services may face operational disruptions and increased risk of fraud. The vulnerability's exploitation does not require user interaction, increasing the likelihood of automated attacks. The scope is limited to users of the affected Addi versions but given the platform's market penetration in Latin America, the impact could be widespread in that region.

To mitigate this vulnerability, organizations and users should: 1) Immediately check for and apply any patches or updates released by Addi that address the hard-coded credentials issue. 2) If patches are not yet available, restrict access to the affected application components and monitor for suspicious activity related to password recovery attempts. 3) Remove or replace hard-coded credentials in the application codebase with secure, dynamically managed authentication methods such as environment variables or secure vaults. 4) Enhance password recovery mechanisms by implementing multi-factor authentication (MFA) and verifying user identity through multiple channels. 5) Conduct thorough code audits and penetration testing to identify and remediate similar credential management flaws. 6) Educate users about phishing and social engineering risks that could compound the impact of this vulnerability. 7) Implement robust logging and alerting to detect unauthorized access attempts promptly. 8) Collaborate with Addi support and security teams to stay informed about vulnerability status and remediation timelines.