CVE-2026-26367
Missing Authorization in eNet SMART HOME Allows User Account Deletion
Publication date: 2026-02-15
Last updated on: 2026-03-02
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| jung-group | enet_smart_home | 2.2.1 |
| jung-group | enet_smart_home | 2.3.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The eNet SMART HOME server versions 2.2.1 and 2.3.1 have a critical authorization vulnerability in the deleteUserAccount JSON-RPC method.
This vulnerability allows any authenticated user with low privileges (UG_USER role) to delete arbitrary user accounts except the built-in admin account.
The root cause is the lack of proper role-based access control enforcement on this function, which means a standard user can craft a POST request specifying another username and remove that account without needing elevated permissions or additional confirmation.
How can this vulnerability impact me? :
This vulnerability can lead to denial of service by allowing low-privileged users to delete legitimate user accounts.
It can disrupt normal operations of the eNet SMART HOME system by removing users unexpectedly.
Additionally, attackers might use this flaw to conceal malicious activities by deleting user accounts that could detect or report their actions.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for unauthorized or suspicious POST requests to the /jsonrpc/management endpoint that invoke the deleteUserAccount JSON-RPC method.'}, {'type': 'paragraph', 'content': 'Specifically, look for POST requests from low-privileged users (UG_USER role) attempting to delete user accounts other than the built-in admin account.'}, {'type': 'paragraph', 'content': 'A possible command to detect such activity using network traffic inspection tools like tcpdump or tshark could be:'}, {'type': 'list_item', 'content': "tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep 'POST /jsonrpc/management'"}, {'type': 'paragraph', 'content': 'Alternatively, using curl or similar tools to test the vulnerability by crafting a POST request to /jsonrpc/management with the deleteUserAccount method and a target username can help verify if unauthorized deletions are possible.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the /jsonrpc/management endpoint to only trusted and authorized users.
Implement network-level controls such as firewall rules or VPN access to limit who can reach the vulnerable service.
Monitor and audit user account deletion activities closely to detect any unauthorized attempts.
If possible, disable or restrict the deleteUserAccount JSON-RPC method until a vendor patch or update is available.
Contact the vendor for updates or patches addressing this missing authorization vulnerability.