← Back to CVEs
CVE-2026-26369
CRITICAL9.8
Description
eNet SMART HOME server 2.2.1 and 2.3.1 contains a privilege escalation vulnerability due to insufficient authorization checks in the setUserGroup JSON-RPC method. A low-privileged user (UG_USER) can send a crafted POST request to /jsonrpc/management specifying their own username to elevate their account to the UG_ADMIN group, bypassing intended access controls and gaining administrative capabilities such as modifying device configurations, network settings, and other smart home system functions.
CVE Details
CVSS v3.1 Score9.8
SeverityCRITICAL
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack VectorNETWORK
ComplexityLOW
Privileges RequiredNONE
User InteractionNONE
Published2/15/2026
Last Modified2/28/2026
Sourcenvd
Honeypot Sightings0
Affected Products
jung-group:enet_smart_home
Weaknesses (CWE)
CWE-269
References
https://www.vulncheck.com/advisories/jung-enet-smart-home-server-privilege-escalation-v(disclosure@vulncheck.com)
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2026-5975.php(disclosure@vulncheck.com)
IOC Correlations
No correlations recorded
This product uses data from the NVD API but is not endorsed or certified by the NVD.