CVE-2026-26367

High CVSS: 7.1

eNet SMART HOME server 2.2.1 and 2.3.1 contains a missing authorization vulnerability in the deleteUserAccount JSON-RPC method that permits any authenticated low-privileged user (UG_USER) to delete arbitrary user accounts, except for the built-in admin account. The application does not enforce role-based access control on this function, allowing a standard user to submit a crafted POST request to /jsonrpc/management specifying another username to have that account removed without elevated permissions or additional confirmation.

Vendor

Jung-group

Product

Enet Smart Home

CWE

CWE-862

Yayın Tarihi

2026-02-15 16:15:54

Güncelleme

2026-03-02 15:16:35

Source Identifier

disclosure@vulncheck.com

KEV Date Added

Kategoriler

CWE-862 Enet Smart Home HIGH Jung-group 2026

Referanslar

https://www.vulncheck.com/advisories/jung-enet-smart-home-server-arbitrary-user-deletio https://www.zeroscience.mk/en/vulnerabilities/ZSL-2026-5973.php

Benzer Kayıtlar

High

CVE-2026-26368

eNet SMART HOME server 2.2.1 and 2.3.1 contains a missing authorization vulnerability in the resetUserPassword JSON-RPC…

Critical

CVE-2026-26369

eNet SMART HOME server 2.2.1 and 2.3.1 contains a privilege escalation vulnerability due to insufficient authorization c…

Critical

CVE-2026-26366

eNet SMART HOME server 2.2.1 and 2.3.1 ships with default credentials (user:user, admin:admin) that remain active after…

High

CVE-2026-26234

JUNG Smart Visu Server 1.1.1050 contains a request header manipulation vulnerability that allows unauthenticated attacke…

High

CVE-2026-26235

JUNG Smart Visu Server 1.1.1050 contains a denial of service vulnerability that allows unauthenticated attackers to remo…