Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.1
eNet SMART HOME server allows unauthorized account deletion
CVE-2026-26367
Summary
Any authenticated user can delete other accounts except the admin account by sending a specific request. This could allow an attacker to lock out other users or disrupt the system. Update the SMART HOME server to the latest version to fix this issue.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| jung-group | enet_smart_home | 2.2.1 | – |
| jung-group | enet_smart_home | 2.3.1 | – |
Original title
eNet SMART HOME server 2.2.1 and 2.3.1 contains a missing authorization vulnerability in the deleteUserAccount JSON-RPC method that permits any authenticated low-privileged user (UG_USER) to delete...
Original description
eNet SMART HOME server 2.2.1 and 2.3.1 contains a missing authorization vulnerability in the deleteUserAccount JSON-RPC method that permits any authenticated low-privileged user (UG_USER) to delete arbitrary user accounts, except for the built-in admin account. The application does not enforce role-based access control on this function, allowing a standard user to submit a crafted POST request to /jsonrpc/management specifying another username to have that account removed without elevated permissions or additional confirmation.
nvd CVSS3.1
8.1
nvd CVSS4.0
7.1
Vulnerability type
CWE-862
Missing Authorization
- https://www.vulncheck.com/advisories/jung-enet-smart-home-server-arbitrary-user-... Broken Link
- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2026-5973.php Exploit Third Party Advisory
Published: 15 Feb 2026 · Updated: 10 Mar 2026 · First seen: 6 Mar 2026