VYPR
Unrated severityNVD Advisory· Published Feb 15, 2026· Updated Mar 2, 2026

JUNG eNet SMART HOME server 2.2.1/2.3.1 Arbitrary User Deletion via deleteUserAccount

CVE-2026-26367

Description

eNet SMART HOME server 2.2.1 and 2.3.1 contains a missing authorization vulnerability in the deleteUserAccount JSON-RPC method that permits any authenticated low-privileged user (UG_USER) to delete arbitrary user accounts, except for the built-in admin account. The application does not enforce role-based access control on this function, allowing a standard user to submit a crafted POST request to /jsonrpc/management specifying another username to have that account removed without elevated permissions or additional confirmation.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2

Patches

Vulnerability mechanics

References

2

News mentions

0

No linked articles in our index yet.

CVE-2026-26367 · VYPR