Cyber Resilience

CVE-2026-26368

HighPublic PoC

Published: 15 February 2026

Published
15 February 2026
Modified
28 February 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0053 40.6th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-26368 is a high-severity Missing Authorization (CWE-862) vulnerability in Jung-Group Enet Smart Home. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 40.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Deeper analysis

CVE-2026-26368, published on 2026-02-15, is a missing authorization vulnerability (CWE-862) in the resetUserPassword JSON-RPC method of the eNet SMART HOME server versions 2.2.1 and 2.3.1. The flaw enables any authenticated low-privileged user (UG_USER) to reset the password of arbitrary accounts, including those in the UG_ADMIN and UG_SUPER_ADMIN groups, without supplying the current password or possessing sufficient privileges. Rated at CVSS 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), it allows attackers to send crafted JSON-RPC requests to the /jsonrpc/management endpoint, overwriting existing credentials.

Any authenticated user with minimal UG_USER privileges can exploit this vulnerability remotely over the network with low complexity. Successful exploitation results in direct account takeover of targeted users, including administrators, granting full administrative access and enabling persistent privilege escalation.

Mitigation details are outlined in vendor and researcher advisories, including those from VulnCheck at https://www.vulncheck.com/advisories/jung-enet-smart-home-server-account-takeover-via-r and Zero Science Lab at https://www.zeroscience.mk/en/vulnerabilities/ZSL-2026-5974.php.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

eNet SMART HOME server 2.2.1 and 2.3.1 contains a missing authorization vulnerability in the resetUserPassword JSON-RPC method that allows any authenticated low-privileged user (UG_USER) to reset the password of arbitrary accounts, including those in the UG_ADMIN and UG_SUPER_ADMIN groups, without…

more

supplying the current password or having sufficient privileges. By sending a crafted JSON-RPC request to /jsonrpc/management, an attacker can overwrite existing credentials, resulting in direct account takeover with full administrative access and persistent privilege escalation.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1098 Account Manipulation Persistence
Adversaries may manipulate accounts to maintain and/or elevate access to victim systems.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Missing authorization in remote JSON-RPC password reset enables direct account takeover (T1098) of admin accounts from low-priv user, constituting exploitation for privilege escalation (T1068) against a public-facing management endpoint (T1190).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-26367Same product: Jung-Group Enet Smart Home
CVE-2026-26369Same product: Jung-Group Enet Smart Home
CVE-2026-26366Same product: Jung-Group Enet Smart Home
CVE-2025-26378Shared CWE-862
CVE-2026-4003Shared CWE-862
CVE-2025-9054Shared CWE-862
CVE-2025-8898Shared CWE-862
CVE-2026-21743Shared CWE-862
CVE-2024-12129Shared CWE-862
CVE-2026-2941Shared CWE-862

Affected Assets

jung-group
enet smart home
2.2.1, 2.3.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved authorizations to prevent low-privileged users from accessing or modifying higher-privileged accounts via the resetUserPassword method.

prevent

Implements least privilege to restrict low-privileged UG_USER accounts from performing administrative password resets on UG_ADMIN or UG_SUPER_ADMIN accounts.

prevent

Manages authenticators with procedures requiring proper authorization and current password verification before allowing password changes on arbitrary accounts.

References