CVE-2026-26367

Name of the Vulnerable Software and Affected Versions eNet SMART HOME server versions 2.2.1 through 2.3.1

Description The eNet SMART HOME server software has a flaw where authorization checks are absent in the deleteUserAccount JSON-RPC method. This allows a standard, authenticated user (UG USER) to remove other user accounts, with the exception of the built-in admin account. The application fails to implement role-based access control for this function. An attacker can send a specially crafted POST request to the /jsonrpc/management API endpoint, specifying a username to be deleted, without needing higher privileges or further confirmation. The vulnerable parameter is username.

Recommendations eNet SMART HOME server version 2.2.1: Implement proper role-based access control for the deleteUserAccount function. eNet SMART HOME server version 2.3.1: Implement proper role-based access control for the deleteUserAccount function.