Cyber Resilience

CVE-2026-26369

CriticalPublic PoC

Published: 15 February 2026

Published
15 February 2026
Modified
28 February 2026
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0064 45.8th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-26369 is a critical-severity Improper Privilege Management (CWE-269) vulnerability in Jung-Group Enet Smart Home. Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 45.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2026-26369 is a privilege escalation vulnerability affecting eNet SMART HOME server versions 2.2.1 and 2.3.1. The issue arises from insufficient authorization checks in the setUserGroup JSON-RPC method, enabling unauthorized privilege elevation. Published on 2026-02-15, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-269 (Improper Privilege Management).

A low-privileged user with UG_USER role can exploit the vulnerability by sending a crafted POST request to the /jsonrpc/management endpoint, specifying their own username to elevate their account to the UG_ADMIN group. This bypasses intended access controls, allowing the attacker to gain administrative capabilities such as modifying device configurations, network settings, and other smart home system functions.

Mitigation guidance is available in vendor and researcher advisories, including those from VulnCheck (https://www.vulncheck.com/advisories/jung-enet-smart-home-server-privilege-escalation-v) and Zero Science (https://www.zeroscience.mk/en/vulnerabilities/ZSL-2026-5975.php). Security practitioners should consult these references for patching instructions and workarounds.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

eNet SMART HOME server 2.2.1 and 2.3.1 contains a privilege escalation vulnerability due to insufficient authorization checks in the setUserGroup JSON-RPC method. A low-privileged user (UG_USER) can send a crafted POST request to /jsonrpc/management specifying their own username to elevate…

more

their account to the UG_ADMIN group, bypassing intended access controls and gaining administrative capabilities such as modifying device configurations, network settings, and other smart home system functions.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Direct privilege escalation via exploitation of authorization flaw in setUserGroup JSON-RPC method (CWE-269), matching T1068 exactly.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-26368Same product: Jung-Group Enet Smart Home
CVE-2026-26367Same product: Jung-Group Enet Smart Home
CVE-2026-26366Same product: Jung-Group Enet Smart Home
CVE-2026-23896Shared CWE-269
CVE-2025-27639Shared CWE-269
CVE-2025-8899Shared CWE-269
CVE-2025-26705Shared CWE-269
CVE-2015-10139Shared CWE-269
CVE-2026-8972Shared CWE-269
CVE-2025-0893Shared CWE-269

Affected Assets

jung-group
enet smart home
2.2.1, 2.3.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Mandates enforcement of approved authorizations, directly addressing the insufficient authorization checks in the setUserGroup JSON-RPC method that allow privilege escalation.

prevent

Enforces least privilege to restrict low-privileged UG_USER accounts from elevating to UG_ADMIN, preventing unauthorized access to administrative functions.

prevent

Requires management of account types, group memberships, and privilege assignments to block unauthorized changes like those exploited via crafted POST requests to /jsonrpc/management.

References