CVE-2026-26368

Name of the Vulnerable Software and Affected Versions eNet SMART HOME server versions 2.2.1 and 2.3.1

Description The software contains a missing authorization flaw in the resetUserPassword JSON-RPC method. An authenticated, low-privileged user (UG USER) can reset the passwords of any account, including those with UG ADMIN and UG SUPER ADMIN privileges, without knowing the current password. This is achieved by sending a specially crafted JSON-RPC request to the /jsonrpc/management API endpoint. Successful exploitation allows an attacker to overwrite existing credentials, leading to account takeover and full administrative access with persistent privilege escalation.

Recommendations Update eNet SMART HOME server to a version beyond 2.3.1.