CVE-2026-26367
Unknown Unknown - Not Provided
Missing Authorization in eNet SMART HOME Allows User Account Deletion

Publication date: 2026-02-15

Last updated on: 2026-03-02

Assigner: VulnCheck

Description
eNet SMART HOME server 2.2.1 and 2.3.1 contains a missing authorization vulnerability in the deleteUserAccount JSON-RPC method that permits any authenticated low-privileged user (UG_USER) to delete arbitrary user accounts, except for the built-in admin account. The application does not enforce role-based access control on this function, allowing a standard user to submit a crafted POST request to /jsonrpc/management specifying another username to have that account removed without elevated permissions or additional confirmation.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-15
Last Modified
2026-03-02
Generated
2026-06-16
AI Q&A
2026-02-15
EPSS Evaluated
2026-06-14
NVD
CVE-2026-26367
EUVD
EUVD-2026-6143
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
jung-group enet_smart_home 2.2.1
jung-group enet_smart_home 2.3.1
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The eNet SMART HOME server versions 2.2.1 and 2.3.1 have a critical authorization vulnerability in the deleteUserAccount JSON-RPC method.

This vulnerability allows any authenticated user with low privileges (UG_USER role) to delete arbitrary user accounts except the built-in admin account.

The root cause is the lack of proper role-based access control enforcement on this function, which means a standard user can craft a POST request specifying another username and remove that account without needing elevated permissions or additional confirmation.

Impact Analysis

This vulnerability can lead to denial of service by allowing low-privileged users to delete legitimate user accounts.

It can disrupt normal operations of the eNet SMART HOME system by removing users unexpectedly.

Additionally, attackers might use this flaw to conceal malicious activities by deleting user accounts that could detect or report their actions.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for unauthorized or suspicious POST requests to the /jsonrpc/management endpoint that invoke the deleteUserAccount JSON-RPC method.'}, {'type': 'paragraph', 'content': 'Specifically, look for POST requests from low-privileged users (UG_USER role) attempting to delete user accounts other than the built-in admin account.'}, {'type': 'paragraph', 'content': 'A possible command to detect such activity using network traffic inspection tools like tcpdump or tshark could be:'}, {'type': 'list_item', 'content': "tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep 'POST /jsonrpc/management'"}, {'type': 'paragraph', 'content': 'Alternatively, using curl or similar tools to test the vulnerability by crafting a POST request to /jsonrpc/management with the deleteUserAccount method and a target username can help verify if unauthorized deletions are possible.'}] [1]

Mitigation Strategies

Immediate mitigation steps include restricting access to the /jsonrpc/management endpoint to only trusted and authorized users.

Implement network-level controls such as firewall rules or VPN access to limit who can reach the vulnerable service.

Monitor and audit user account deletion activities closely to detect any unauthorized attempts.

If possible, disable or restrict the deleteUserAccount JSON-RPC method until a vendor patch or update is available.

Contact the vendor for updates or patches addressing this missing authorization vulnerability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-26367. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart