Vulnerability Details CVE-2026-26367
eNet SMART HOME server 2.2.1 and 2.3.1 contains a missing authorization vulnerability in the deleteUserAccount JSON-RPC method that permits any authenticated low-privileged user (UG_USER) to delete arbitrary user accounts, except for the built-in admin account. The application does not enforce role-based access control on this function, allowing a standard user to submit a crafted POST request to /jsonrpc/management specifying another username to have that account removed without elevated permissions or additional confirmation.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.0
EPSS Ranking 1.3%
CVSS Severity
CVSS v3 Score 6.5
References
Products affected by CVE-2026-26367
-
cpe:2.3:a:jung-group:enet_smart_home:2.2.1
-
cpe:2.3:a:jung-group:enet_smart_home:2.3.1