CVE-2026-26369

CriticalPublic PoC

Published: 15 February 2026

Published

15 February 2026

Modified

28 February 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0003 8.1th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-26369 is a critical-severity Improper Privilege Management (CWE-269) vulnerability in Jung-Group Enet Smart Home. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 8.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and AC-3 (Access Enforcement).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match

prevent

Mandates enforcement of approved authorizations, directly addressing the insufficient authorization checks in the setUserGroup JSON-RPC method that allow privilege escalation.

AC-6 Least Privilege good match

prevent

Enforces least privilege to restrict low-privileged UG_USER accounts from elevating to UG_ADMIN, preventing unauthorized access to administrative functions.

AC-2 Account Management good match

prevent

Requires management of account types, group memberships, and privilege assignments to block unauthorized changes like those exploited via crafted POST requests to /jsonrpc/management.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

Why these techniques?

Direct privilege escalation via exploitation of authorization flaw in setUserGroup JSON-RPC method (CWE-269), matching T1068 exactly.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

eNet SMART HOME server 2.2.1 and 2.3.1 contains a privilege escalation vulnerability due to insufficient authorization checks in the setUserGroup JSON-RPC method. A low-privileged user (UG_USER) can send a crafted POST request to /jsonrpc/management specifying their own username to elevate…

their account to the UG_ADMIN group, bypassing intended access controls and gaining administrative capabilities such as modifying device configurations, network settings, and other smart home system functions.

Deeper analysisAI

CVE-2026-26369 is a privilege escalation vulnerability affecting eNet SMART HOME server versions 2.2.1 and 2.3.1. The issue arises from insufficient authorization checks in the setUserGroup JSON-RPC method, enabling unauthorized privilege elevation. Published on 2026-02-15, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-269 (Improper Privilege Management).

A low-privileged user with UG_USER role can exploit the vulnerability by sending a crafted POST request to the /jsonrpc/management endpoint, specifying their own username to elevate their account to the UG_ADMIN group. This bypasses intended access controls, allowing the attacker to gain administrative capabilities such as modifying device configurations, network settings, and other smart home system functions.

Mitigation guidance is available in vendor and researcher advisories, including those from VulnCheck (https://www.vulncheck.com/advisories/jung-enet-smart-home-server-privilege-escalation-v) and Zero Science (https://www.zeroscience.mk/en/vulnerabilities/ZSL-2026-5975.php). Security practitioners should consult these references for patching instructions and workarounds.