Description
eNet SMART HOME server 2.2.1 and 2.3.1 contains a missing authorization vulnerability in the deleteUserAccount JSON-RPC method that permits any authenticated low-privileged user (UG_USER) to delete arbitrary user accounts, except for the built-in admin account. The application does not enforce role-based access control on this function, allowing a standard user to submit a crafted POST request to /jsonrpc/management specifying another username to have that account removed without elevated permissions or additional confirmation.
Published: 2026-02-15
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: User Account Deletion / Privilege Escalation
Action: Immediate Patch
AI Analysis

Impact

The vulnerability stems from a missing authorization check in the deleteUserAccount JSON‑RPC method. An authenticated low‑privileged user can craft a POST request to /jsonrpc/management and specify any other username, causing that account to be removed without the usual administrative confirmation. This flaw targets confidence in the integrity of user accounts and can lead to denial of service for legitimate users. It is classified as CWE‑862, a lack of proper role‑based access control.

Affected Systems

The issue affects JUNG eNet SMART HOME server versions 2.2.1 and 2.3.1. The built‑in admin account is protected, but all other user accounts are susceptible to deletion.

Risk and Exploitability

With a CVSS score of 7.1 the vulnerability is considered high severity. The EPSS score of < 1% indicates a currently low exploitation probability; however, the vulnerability remains significant because it is accessible over the network to any authenticated user. KEV does not list this entry, but the exposed endpoint and the credential‑based nature of the attack make it a candidate for opportunistic exploitation. The likely attack vector is remote via the JSON‑RPC interface, assuming the attacker has a valid user credential that does not have administrative privileges.

Generated by OpenCVE AI on April 16, 2026 at 17:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor‑supplied patch or upgrade to a version of eNet SMART HOME server that does not contain the vulnerable deleteUserAccount method.
  • Ensure that only users with administrative roles are allowed to invoke deleteUserAccount; verify role‑based access control settings and adjust if necessary.
  • Secure the JSON‑RPC endpoint by restricting access to trusted IP ranges or by placing it behind a firewall and enabling strong authentication mechanisms.

Generated by OpenCVE AI on April 16, 2026 at 17:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 02 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

 cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H'}

Thu, 26 Feb 2026 22:45:00 +0000

Type Values Removed Values Added
First Time appeared Jung-group
Jung-group enet Smart Home
CPEs cpe:2.3:a:jung-group:enet_smart_home:2.2.1:*:*:*:*:*:*:*
cpe:2.3:a:jung-group:enet_smart_home:2.3.1:*:*:*:*:*:*:*
Vendors & Products Jung-group
Jung-group enet Smart Home

Tue, 17 Feb 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 17 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 16 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Jung
Jung enet Smart Home Server
Vendors & Products Jung
Jung enet Smart Home Server

Sun, 15 Feb 2026 15:45:00 +0000

Type Values Removed Values Added
Description eNet SMART HOME server 2.2.1 and 2.3.1 contains a missing authorization vulnerability in the deleteUserAccount JSON-RPC method that permits any authenticated low-privileged user (UG_USER) to delete arbitrary user accounts, except for the built-in admin account. The application does not enforce role-based access control on this function, allowing a standard user to submit a crafted POST request to /jsonrpc/management specifying another username to have that account removed without elevated permissions or additional confirmation.
Title JUNG eNet SMART HOME server 2.2.1/2.3.1 Arbitrary User Deletion via deleteUserAccount
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Jung Enet Smart Home Server
Jung-group Enet Smart Home
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-02T14:49:41.144Z

Reserved: 2026-02-15T15:02:17.449Z

Link: CVE-2026-26367

cve-icon Vulnrichment

Updated: 2026-02-17T14:42:14.046Z

cve-icon NVD

Status : Modified

Published: 2026-02-15T16:15:54.060

Modified: 2026-03-02T15:16:35.977

Link: CVE-2026-26367

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T17:15:17Z

Weaknesses