CVE-2026-26368 in eNet SMART HOME server
Summary
by MITRE • 02/15/2026
eNet SMART HOME server 2.2.1 and 2.3.1 contains a missing authorization vulnerability in the resetUserPassword JSON-RPC method that allows any authenticated low-privileged user (UG_USER) to reset the password of arbitrary accounts, including those in the UG_ADMIN and UG_SUPER_ADMIN groups, without supplying the current password or having sufficient privileges. By sending a crafted JSON-RPC request to /jsonrpc/management, an attacker can overwrite existing credentials, resulting in direct account takeover with full administrative access and persistent privilege escalation.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 02/20/2026
This vulnerability exists within the eNet SMART HOME server software version 2.2.1 and 2.3.1 where the resetUserPassword JSON-RPC method fails to properly validate authorization requirements. The flaw represents a critical missing authorization control that allows any user authenticated at the UG_USER level to manipulate account credentials of higher privileged users without proper authentication or authorization checks. The vulnerability specifically affects the /jsonrpc/management endpoint which handles administrative operations, creating a path for privilege escalation through unauthorized credential modification. This issue directly violates fundamental security principles of least privilege and proper access control enforcement.
The technical implementation of this vulnerability stems from improper validation within the JSON-RPC method that processes user password resets. When an authenticated user sends a request to the management endpoint, the system accepts password reset commands for any user account regardless of the requesting user's privilege level or the target account's administrative status. This misconfiguration creates a path for attackers to perform account takeover operations by simply crafting a JSON-RPC request that specifies target user accounts and new password values. The absence of current password verification requirements or privilege level checks allows low-privileged users to assume administrative roles through credential manipulation.
The operational impact of this vulnerability is severe and far-reaching within the affected system environment. An attacker with minimal privileges can achieve complete administrative control over the smart home server, enabling them to modify all user accounts, access sensitive system configurations, and potentially compromise connected IoT devices. The persistent nature of this vulnerability means that once exploited, the attacker maintains access until the system is properly patched or the compromised accounts are manually reset. This creates a significant risk for organizations relying on the eNet SMART HOME server for residential or commercial security infrastructure, as it allows unauthorized individuals to gain full control over connected smart home ecosystems.
Organizations should immediately implement mitigations including patching the affected software versions to address the authorization flaw, implementing additional authentication controls for JSON-RPC endpoints, and conducting thorough access control reviews. Network segmentation should be employed to limit access to the management endpoint, while monitoring should be enabled to detect unauthorized password reset attempts. The vulnerability aligns with CWE-284 (Improper Access Control) and represents a clear violation of the principle of least privilege as defined in NIST SP 800-53. From an ATT&CK perspective, this vulnerability maps to T1078 (Valid Accounts) and T1548.001 (Abuse Elevation Control Mechanism) as it enables attackers to escalate privileges through unauthorized credential manipulation. Additionally, organizations should consider implementing multi-factor authentication requirements for administrative accounts and regular privilege access reviews to prevent unauthorized elevation of privileges through similar vulnerabilities.