CVE-2026-26367 in eNet SMART HOME serverinfo

Zusammenfassung

von MITRE • 15.02.2026

eNet SMART HOME server 2.2.1 and 2.3.1 contains a missing authorization vulnerability in the deleteUserAccount JSON-RPC method that permits any authenticated low-privileged user (UG_USER) to delete arbitrary user accounts, except for the built-in admin account. The application does not enforce role-based access control on this function, allowing a standard user to submit a crafted POST request to /jsonrpc/management specifying another username to have that account removed without elevated permissions or additional confirmation.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Zuständig

VulnCheck

Reservieren

15.02.2026

Veröffentlichung

15.02.2026

Moderieren

akzeptiert

Eintrag

VDB-346141

CPE

bereit

EPSS

0.00373

KEV

nein

Aktivitäten

very low

Quellen

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!