JUNG eNet SMART HOME server 2.2.1/2.3.1 Arbitrary User Deletion via...

7.1 / 10

HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Description

eNet SMART HOME server 2.2.1 and 2.3.1 contains a missing authorization vulnerability in the deleteUserAccount JSON-RPC method that permits any authenticated low-privileged user (UG_USER) to delete arbitrary user accounts, except for the built-in admin account. The application does not enforce role-based access control on this function, allowing a standard user to submit a crafted POST request to /jsonrpc/management specifying another username to have that account removed without elevated permissions or additional confirmation.

Basic Information

ID CVE-2026-26367

Source VulnCheck

Published Feb 15, 2026 at 15:29

Affected Product

Vendor JUNG

Product eNet SMART HOME server

Version 2.3.1 (46841)

Affected Versions JUNG eNet SMART HOME server 2.3.1 (46841)
JUNG eNet SMART HOME server 2.2.1 (46056)

CWE Classification

CWE-862

References

{
    "lastseen": "",
    "description": "eNet SMART HOME server 2.2.1 and 2.3.1 contains a missing authorization vulnerability in the deleteUserAccount JSON-RPC method that permits any authenticated low-privileged user (UG_USER) to delete arbitrary user accounts, except for the built-in admin account. The application does not enforce role-based access control on this function, allowing a standard user to submit a crafted POST request to /jsonrpc/management specifying another username to have that account removed without elevated permissions or additional confirmation.",
    "published": "2026-02-15T15:29:54.646Z",
    "modified": "2026-02-15T15:29:54.646Z",
    "type": "cve",
    "title": "JUNG eNet SMART HOME server 2.2.1/2.3.1 Arbitrary User Deletion via deleteUserAccount",
    "source": "VulnCheck",
    "references": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2026-5973.php\nhttps://www.vulncheck.com/advisories/jung-enet-smart-home-server-arbitrary-user-deletio",
    "id": "CVE-2026-26367",
    "bulletinFamily": "",
    "cwe": [
        "CWE-862"
    ],
    "cvelist": null,
    "sourceData": "JUNG eNet SMART HOME server 2.3.1 (46841)\nJUNG eNet SMART HOME server 2.2.1 (46056)",
    "sourceHref": "",
    "cvss": {
        "score": 7.1,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "eNet SMART HOME server",
    "version": "2.3.1 (46841)",
    "vendor": "JUNG",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

JUNG eNet SMART HOME server 2.2.1/2.3.1 Arbitrary User Deletion via deleteUserAccount_CVE-2026-26367