Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.7
eNet SMART HOME Server Password Reset Flaw Allows Unauthorized Access
CVE-2026-26368
Summary
An attacker can use a feature meant for password reset to take over any account, including admin accounts, without knowing the current password. This can happen if the attacker logs in with a lower-level account and sends a special request to the server. To fix this, update to a patched version of the eNet SMART HOME server software as soon as possible.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| jung-group | enet_smart_home | 2.2.1 | – |
| jung-group | enet_smart_home | 2.3.1 | – |
Original title
eNet SMART HOME server 2.2.1 and 2.3.1 contains a missing authorization vulnerability in the resetUserPassword JSON-RPC method that allows any authenticated low-privileged user (UG_USER) to reset t...
Original description
eNet SMART HOME server 2.2.1 and 2.3.1 contains a missing authorization vulnerability in the resetUserPassword JSON-RPC method that allows any authenticated low-privileged user (UG_USER) to reset the password of arbitrary accounts, including those in the UG_ADMIN and UG_SUPER_ADMIN groups, without supplying the current password or having sufficient privileges. By sending a crafted JSON-RPC request to /jsonrpc/management, an attacker can overwrite existing credentials, resulting in direct account takeover with full administrative access and persistent privilege escalation.
nvd CVSS3.1
8.8
nvd CVSS4.0
8.7
Vulnerability type
CWE-862
Missing Authorization
- https://www.vulncheck.com/advisories/jung-enet-smart-home-server-account-takeove... Broken Link
- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2026-5974.php Third Party Advisory Exploit
Published: 15 Feb 2026 · Updated: 11 Mar 2026 · First seen: 6 Mar 2026