Unrated severityNVD Advisory· Published Feb 15, 2026· Updated Mar 2, 2026

JUNG eNet SMART HOME server 2.2.1/2.3.1 Arbitrary User Deletion via deleteUserAccount

CVE-2026-26367

Description

eNet SMART HOME server 2.2.1 and 2.3.1 contains a missing authorization vulnerability in the deleteUserAccount JSON-RPC method that permits any authenticated low-privileged user (UG_USER) to delete arbitrary user accounts, except for the built-in admin account. The application does not enforce role-based access control on this function, allowing a standard user to submit a crafted POST request to /jsonrpc/management specifying another username to have that account removed without elevated permissions or additional confirmation.

Affected products

Enet/SMART HOME serverllm-fuzzy
Range: 2.2.0 - 2.3.1 ?
JUNG/eNet SMART HOME serverv5
Range: 2.3.1 (46841)

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

www.vulncheck.com/advisories/jung-enet-smart-home-server-arbitrary-user-deletiomitrethird-party-advisory
www.zeroscience.mk/en/vulnerabilities/ZSL-2026-5973.phpmitrethird-party-advisory

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000