CVE-2026-26369

Name of the Vulnerable Software and Affected Versions eNet SMART HOME server versions 2.2.1 and 2.3.1

Description The eNet SMART HOME server is affected by a privilege escalation issue. Insufficient authorization checks within the setUserGroup JSON-RPC method allow a low-privileged user (UG USER) to elevate their account to the UG ADMIN group. This is achieved by sending a crafted POST request to the /jsonrpc/management API endpoint, specifying the user's own username. Successful exploitation grants administrative capabilities, including the ability to modify device configurations and network settings.

Recommendations eNet SMART HOME server version 2.2.1: At the moment, there is no information about a newer version that contains a fix for this vulnerability. eNet SMART HOME server version 2.3.1: At the moment, there is no information about a newer version that contains a fix for this vulnerability.