Vulnerability Details CVE-2026-26368
eNet SMART HOME server 2.2.1 and 2.3.1 contains a missing authorization vulnerability in the resetUserPassword JSON-RPC method that allows any authenticated low-privileged user (UG_USER) to reset the password of arbitrary accounts, including those in the UG_ADMIN and UG_SUPER_ADMIN groups, without supplying the current password or having sufficient privileges. By sending a crafted JSON-RPC request to /jsonrpc/management, an attacker can overwrite existing credentials, resulting in direct account takeover with full administrative access and persistent privilege escalation.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.0
EPSS Ranking 3.5%
CVSS Severity
CVSS v3 Score 8.8
References
Products affected by CVE-2026-26368
-
cpe:2.3:a:jung-group:enet_smart_home:2.2.1
-
cpe:2.3:a:jung-group:enet_smart_home:2.3.1