CVE-2026-26367
Published: 15 February 2026
Summary
CVE-2026-26367 is a high-severity Missing Authorization (CWE-862) vulnerability in Jung-Group Enet Smart Home. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Account Access Removal (T1531); ranked at the 3.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mandates enforcement of approved authorizations including role-based access control on the deleteUserAccount JSON-RPC method, preventing low-privileged UG_USER from deleting arbitrary accounts.
Implements least privilege principle to restrict account deletion capability to elevated roles only, such as administrators, blocking unauthorized use by standard users.
Establishes account management procedures requiring authorization for account deletions, mitigating risks of unauthorized removals through defined processes and reviews.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Missing authorization in deleteUserAccount JSON-RPC method directly allows low-privileged authenticated users to delete arbitrary accounts (except admin), mapping to Account Access Removal for disrupting access/integrity.
NVD Description
eNet SMART HOME server 2.2.1 and 2.3.1 contains a missing authorization vulnerability in the deleteUserAccount JSON-RPC method that permits any authenticated low-privileged user (UG_USER) to delete arbitrary user accounts, except for the built-in admin account. The application does not enforce…
more
role-based access control on this function, allowing a standard user to submit a crafted POST request to /jsonrpc/management specifying another username to have that account removed without elevated permissions or additional confirmation.
Deeper analysisAI
CVE-2026-26367 is a missing authorization vulnerability (CWE-862) affecting the eNet SMART HOME server versions 2.2.1 and 2.3.1. The flaw resides in the deleteUserAccount JSON-RPC method, where the application fails to enforce role-based access control. This allows any authenticated low-privileged user (UG_USER) to delete arbitrary user accounts, except for the built-in admin account, by submitting a crafted POST request to the /jsonrpc/management endpoint specifying a target username, without requiring elevated permissions or additional confirmation. The vulnerability has a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H), highlighting high impacts on integrity and availability.
An attacker with low-privileged user credentials (UG_USER) can exploit this over the network with low complexity and no user interaction required. After authenticating, the attacker crafts and sends a POST request to /jsonrpc/management invoking the deleteUserAccount method with the desired victim's username as a parameter. Successful exploitation results in the immediate deletion of the targeted account, potentially disrupting user access, configurations, or linked smart home devices controlled by that account, while leaving the admin account intact.
Advisories from VulnCheck and Zero Science detail the vulnerability and proof-of-concept exploitation; practitioners should consult https://www.vulncheck.com/advisories/jung-enet-smart-home-server-arbitrary-user-deletio and https://www.zeroscience.mk/en/vulnerabilities/ZSL-2026-5973.php for recommended mitigations, such as applying patches if available or implementing strict access controls on management endpoints.
Details
- CWE(s)