CVE-2026-26369

EUVD-2026-6140

15.02.2026, 16:15

eNet SMART HOME server 2.2.1 and 2.3.1 contains a privilege escalation vulnerability due to insufficient authorization checks in the setUserGroup JSON-RPC method. A low-privileged user (UG_USER) can send a crafted POST request to /jsonrpc/management specifying their own username to elevate their account to the UG_ADMIN group, bypassing intended access controls and gaining administrative capabilities such as modifying device configurations, network settings, and other smart home system functions.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	9.8 CRITICAL	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Affected Products (NVD)

Vendor	Product	Version
jung-group	enet_smart_home	2.2.1
jung-group	enet_smart_home	2.3.1

𝑥

= Vulnerable software versions

Known Exploits!

https://www.zeroscience.mk/en/vulnerabilities/ZSL-2026-5975.php

Common Weakness Enumeration

CWE-269 - Improper Privilege Management
The software does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

References

https://www.vulncheck.com/advisories/jung-enet-smart-home-server-privilege-escalation-v

https://www.zeroscience.mk/en/vulnerabilities/ZSL-2026-5975.php