CVE-2026-26367

HIGH 8.1

JUNG eNet SMART HOME server 2.2.1/2.3.1 Arbitrary User Deletion via deleteUserAccount

CVSS Score

8.1

EPSS Score

0.0%

EPSS Percentile

0th

eNet SMART HOME server 2.2.1 and 2.3.1 contains a missing authorization vulnerability in the deleteUserAccount JSON-RPC method that permits any authenticated low-privileged user (UG_USER) to delete arbitrary user accounts, except for the built-in admin account. The application does not enforce role-based access control on this function, allowing a standard user to submit a crafted POST request to /jsonrpc/management specifying another username to have that account removed without elevated permissions or additional confirmation.

CWE	CWE-862
Vendor	jung
Product	enet smart home server
Published	Feb 15, 2026
Last Updated	Mar 2, 2026

Stay Ahead of the Next One

Get instant alerts for jung enet smart home server

Be the first to know when new high vulnerabilities affecting jung enet smart home server are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

High

Affected Versions

JUNG / eNet SMART HOME server

2.3.1 (46841) 2.2.1 (46056)

References

NVD ↗ CVE.org ↗ EPSS Data ↗

zeroscience.mk: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2026-5973.php vulncheck.com: https://www.vulncheck.com/advisories/jung-enet-smart-home-server-arbitrary-user-deletio

Credits

LiquidWorm as Gjoko Krstic of Zero Science Lab