CVE-2026-26367 in eNet SMART HOME server
Summary
by MITRE • 02/15/2026
eNet SMART HOME server 2.2.1 and 2.3.1 contains a missing authorization vulnerability in the deleteUserAccount JSON-RPC method that permits any authenticated low-privileged user (UG_USER) to delete arbitrary user accounts, except for the built-in admin account. The application does not enforce role-based access control on this function, allowing a standard user to submit a crafted POST request to /jsonrpc/management specifying another username to have that account removed without elevated permissions or additional confirmation.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 03/03/2026
The vulnerability identified as CVE-2026-26367 affects the eNet SMART HOME server versions 2.2.1 and 2.3.1, representing a critical authorization flaw that undermines the system's security model. This issue manifests within the deleteUserAccount JSON-RPC method, where the application fails to implement proper access control mechanisms. The vulnerability is particularly concerning because it allows any authenticated user with the UG_USER role to execute arbitrary account deletion operations against other user accounts, creating a significant privilege escalation vector within the system's user management framework.
The technical implementation of this vulnerability stems from the absence of role-based access control checks within the deleteUserAccount method. When a standard authenticated user submits a crafted POST request to the /jsonrpc/management endpoint, the system processes the request without verifying whether the requesting user possesses sufficient privileges to perform account deletion operations. This missing authorization check creates a direct path for privilege abuse where low-privileged users can manipulate the JSON-RPC interface to remove any user account except the built-in admin account, which appears to be protected by additional safeguards. The vulnerability operates at the application layer and leverages the existing authentication mechanism to bypass authorization controls, making it particularly stealthy and difficult to detect through standard security monitoring.
The operational impact of this vulnerability extends beyond simple account removal, as it fundamentally compromises the integrity of the user management system within the smart home environment. An attacker with access to any UG_USER account can systematically eliminate other users from the system, potentially disrupting legitimate operations, creating denial of service conditions for other users, or establishing persistent access by removing accounts that might have been monitoring system activities. This vulnerability also creates opportunities for social engineering attacks where attackers might delete user accounts to create confusion or remove accounts that could potentially expose system vulnerabilities. The persistence of this issue across multiple versions of the software indicates a systemic design flaw in the authorization implementation rather than a simple configuration error.
From a cybersecurity perspective, this vulnerability maps directly to CWE-285 (Improper Authorization) and aligns with ATT&CK technique T1078 (Valid Accounts) and T1484 (Domain Policy Modification). The lack of proper access control enforcement creates a condition where users can escalate their privileges through account manipulation, effectively bypassing the intended security boundaries. Organizations utilizing this smart home server software face significant risk of unauthorized account manipulation, which could lead to complete system compromise if attackers can identify and exploit additional vulnerabilities in the platform. The vulnerability also represents a failure in the principle of least privilege, where users have access to functions beyond what is necessary for their operational role.
Mitigation strategies for this vulnerability require immediate implementation of proper authorization controls within the JSON-RPC interface. System administrators should ensure that the deleteUserAccount method enforces role-based access control, requiring elevated privileges or additional confirmation mechanisms before allowing account deletion operations. The implementation should include verification that the requesting user has appropriate administrative privileges or that the operation is performed within a controlled environment with proper audit logging. Additionally, organizations should implement network segmentation to limit access to the JSON-RPC endpoints and establish monitoring for unusual account deletion patterns. The software vendor should provide a patch that enforces proper authorization checks and implements additional safeguards to prevent unauthorized account manipulation. Regular security audits should verify that all user management functions properly enforce access control policies, and access logs should be monitored for suspicious deletion activities to detect potential exploitation attempts.