CVE-2026-26367

EUVD-2026-6143

15.02.2026, 16:15

eNet SMART HOME server 2.2.1 and 2.3.1 contains a missing authorization vulnerability in the deleteUserAccount JSON-RPC method that permits any authenticated low-privileged user (UG_USER) to delete arbitrary user accounts, except for the built-in admin account. The application does not enforce role-based access control on this function, allowing a standard user to submit a crafted POST request to /jsonrpc/management specifying another username to have that account removed without elevated permissions or additional confirmation.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	8.1 HIGH	NETWORK	LOW	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Affected Products (NVD)

Vendor	Product	Version
jung-group	enet_smart_home	2.2.1
jung-group	enet_smart_home	2.3.1

𝑥

= Vulnerable software versions

Known Exploits!

https://www.zeroscience.mk/en/vulnerabilities/ZSL-2026-5973.php

Common Weakness Enumeration

CWE-862 - Missing Authorization
The software does not perform an authorization check when an actor attempts to access a resource or perform an action.

References

https://www.vulncheck.com/advisories/jung-enet-smart-home-server-arbitrary-user-deletio

https://www.zeroscience.mk/en/vulnerabilities/ZSL-2026-5973.php