CVE-2026-26367 Overview
CVE-2026-26367 is a missing authorization vulnerability affecting eNet SMART HOME server versions 2.2.1 and 2.3.1. The flaw exists in the deleteUserAccount JSON-RPC method, which fails to enforce role-based access control (RBAC). This allows any authenticated low-privileged user with the UG_USER role to delete arbitrary user accounts, except for the built-in admin account, without requiring elevated permissions or additional confirmation.
Critical Impact
Low-privileged authenticated users can delete arbitrary user accounts on affected eNet SMART HOME servers, potentially disrupting system access for legitimate users and administrators.
Affected Products
- eNet SMART HOME server 2.2.1
- eNet SMART HOME server 2.3.1
Discovery Timeline
- 2026-02-15 - CVE CVE-2026-26367 published to NVD
- 2026-02-18 - Last updated in NVD database
Technical Details for CVE-2026-26367
Vulnerability Analysis
This vulnerability is classified under CWE-862 (Missing Authorization), which occurs when a software application does not perform an authorization check when an actor attempts to access a resource or perform an action. In this case, the eNet SMART HOME server fails to validate whether the requesting user has sufficient privileges to execute the deleteUserAccount function.
The vulnerability allows network-based exploitation with low attack complexity, requiring only low-level authenticated access. An attacker can leverage this flaw to cause significant disruption to system availability by removing legitimate user accounts from the smart home management platform.
Root Cause
The root cause of CVE-2026-26367 is the absence of proper authorization checks in the deleteUserAccount JSON-RPC method. The application processes account deletion requests without verifying that the requesting user has administrative privileges. While the built-in admin account is protected from deletion, all other user accounts remain vulnerable to unauthorized removal by any authenticated user, regardless of their assigned role.
Attack Vector
The attack is executed over the network by sending a crafted POST request to the /jsonrpc/management endpoint. An authenticated attacker with standard user privileges (UG_USER) can construct a JSON-RPC request that invokes the deleteUserAccount method, specifying the username of the target account to be deleted. Since no authorization verification is performed, the server processes the request and removes the targeted user account.
The exploitation requires the attacker to have valid credentials for a low-privileged account on the target eNet SMART HOME server. Once authenticated, the attacker can enumerate existing users and systematically remove accounts to deny access to legitimate users. For detailed technical information, refer to the VulnCheck Security Advisory and the Zero Science Vulnerability Report.
Detection Methods for CVE-2026-26367
Indicators of Compromise
- Unusual volume of POST requests to /jsonrpc/management endpoint from non-administrative user sessions
- Unexpected user account deletions in system logs without corresponding administrative actions
- Multiple deleteUserAccount method invocations from a single low-privileged user account
- User complaints about being locked out of the smart home system
Detection Strategies
- Monitor JSON-RPC method calls to identify deleteUserAccount requests from non-admin users
- Implement logging and alerting for all user account management operations
- Deploy web application firewall (WAF) rules to flag suspicious patterns targeting the management endpoint
- Correlate authentication logs with account deletion events to identify privilege abuse
Monitoring Recommendations
- Enable detailed audit logging for all JSON-RPC method invocations on the eNet SMART HOME server
- Configure alerts for account deletion events initiated by users without administrative roles
- Review access logs for the /jsonrpc/management endpoint regularly
- Implement session monitoring to detect anomalous behavior from low-privileged accounts
How to Mitigate CVE-2026-26367
Immediate Actions Required
- Restrict network access to the eNet SMART HOME server management interface to trusted networks only
- Review and audit all user accounts for unauthorized deletions
- Implement network segmentation to limit exposure of the smart home server
- Consider temporarily disabling low-privileged user accounts until a patch is available
Patch Information
At the time of publication, no vendor patch information was available in the CVE data. Organizations should monitor the vendor's official channels and the referenced security advisories for updates. Check the VulnCheck Security Advisory and Zero Science Vulnerability Report for the latest remediation guidance.
Workarounds
- Place the eNet SMART HOME server behind a firewall and restrict access to the management interface
- Implement additional authentication layers such as VPN for remote access to the server
- Limit the number of user accounts and regularly audit account activity
- Use network monitoring tools to detect and block suspicious requests to the /jsonrpc/management endpoint
# Example: Restrict access to management endpoint via iptables
# Allow only trusted admin IP addresses to reach the management interface
iptables -A INPUT -p tcp --dport 443 -s 192.168.1.100 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
