CVE-2026-26367

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2026-26367
eNet SMART HOME server 2.2.1 and 2.3.1 contains a missing authorization vulnerability in the deleteUserAccount JSON-RPC method that permits any authenticated low-privileged user (UG_USER) to delete arbitrary user accounts, except for the built-in admin account. The application does not enforce role-based access control on this function, allowing a standard user to submit a crafted POST request to /jsonrpc/management specifying another username to have that account removed without elevated permissions or additional confirmation.

8.1 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://www.vulncheck.com/advisories/jung-enet-smart-home-server-arbitrary-user-deletio Broken Link
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2026-5973.php Exploit Third Party Advisory
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:jung-group:enet_smart_home:2.2.1:*:*:*:*:*:*:*
cpe:2.3:a:jung-group:enet_smart_home:2.3.1:*:*:*:*:*:*:*
History

02 Mar 2026, 15:16

Type Values Removed Values Added
CVSS v2 : unknown
v3 : 6.5 		v2 : unknown
v3 : 8.1
References () https://www.zeroscience.mk/en/vulnerabilities/ZSL-2026-5973.php - Third Party Advisory, Exploit () https://www.zeroscience.mk/en/vulnerabilities/ZSL-2026-5973.php - Exploit, Third Party Advisory

26 Feb 2026, 22:39

Type Values Removed Values Added
References () https://www.vulncheck.com/advisories/jung-enet-smart-home-server-arbitrary-user-deletio - () https://www.vulncheck.com/advisories/jung-enet-smart-home-server-arbitrary-user-deletio - Broken Link
References () https://www.zeroscience.mk/en/vulnerabilities/ZSL-2026-5973.php - () https://www.zeroscience.mk/en/vulnerabilities/ZSL-2026-5973.php - Third Party Advisory, Exploit
First Time Jung-group enet Smart Home
Jung-group
CPE cpe:2.3:a:jung-group:enet_smart_home:2.3.1:*:*:*:*:*:*:*
cpe:2.3:a:jung-group:enet_smart_home:2.2.1:*:*:*:*:*:*:*

18 Feb 2026, 17:52

Type Values Removed Values Added
Summary
  • (es) eNet SMART HOME server 2.2.1 y 2.3.1 contiene una vulnerabilidad de autorización faltante en el método JSON-RPC deleteUserAccount que permite a cualquier usuario autenticado con privilegios bajos (UG_USER) eliminar cuentas de usuario arbitrarias, excepto la cuenta de administrador integrada. La aplicación no aplica control de acceso basado en roles en esta función, permitiendo a un usuario estándar enviar una solicitud POST manipulada a /jsonrpc/management especificando otro nombre de usuario para que esa cuenta sea eliminada sin permisos elevados ni confirmación adicional.

15 Feb 2026, 16:15

Type Values Removed Values Added
New CVE
Information

Published : 2026-02-15 16:15

Updated : 2026-03-02 15:16

NVD link : CVE-2026-26367

Mitre link : CVE-2026-26367

CVE.ORG link : CVE-2026-26367

JSON object : View

Products Affected

jung-group

  • enet_smart_home
CWE
CWE-862

Missing Authorization