What is the CVSS score of CVE-2026-26367?

CVE-2026-26367 has a CVSS 3.1 base score of 8.1 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H. EPSS exploitation probability: 0.0%.

Which versions of Enet Smart Home are affected by CVE-2026-26367?

eNet SMART HOME servers (versions 2.2.1 and 2.3.1) contain a critical authorization flaw allowing any low-privilege user to delete other user accounts without permission.

Is there a public PoC exploit available for CVE-2026-26367?

Yes, a public proof-of-concept exploit is available for CVE-2026-26367. Prioritise patching immediately. EPSS: 0.0%.

How to fix or mitigate CVE-2026-26367?

Within 24 hours: Identify and inventory all eNet SMART HOME servers running versions 2.2.1 or 2.3.1 in your environment. Within 7 days: Implement network access controls restricting JSON-RPC deleteUserAccount method calls to administrative users only, or disable the deleteUserAccount feature if not operationally critical. Within 30 days: Contact eNet for patch availability, isolate affected systems until patched, or plan migration to a patched version or alternative solution.

Enet Smart Home CVE-2026-26367

HIGH

Missing Authorization (CWE-862)

2026-02-15 disclosure@vulncheck.com

Authentication Bypass Enet Smart Home

8.1

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

8.1 HIGH

AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:54 vuln.today

PoC Detected

Mar 02, 2026 - 15:16 vuln.today

Public exploit code

CVE Published

Feb 15, 2026 - 16:15 nvd

HIGH 8.1

DescriptionCVE.org

eNet SMART HOME server 2.2.1 and 2.3.1 contains a missing authorization vulnerability in the deleteUserAccount JSON-RPC method that permits any authenticated low-privileged user (UG_USER) to delete arbitrary user accounts, except for the built-in admin account. The application does not enforce role-based access control on this function, allowing a standard user to submit a crafted POST request to /jsonrpc/management specifying another username to have that account removed without elevated permissions or additional confirmation.

AnalysisAI

eNet Smart Home server versions 2.2.1 and 2.3.1 allow authenticated users to delete arbitrary user accounts through an authorization bypass in the deleteUserAccount JSON-RPC method. Any low-privileged user can submit a crafted request to remove other accounts without elevated permissions, and public exploit code exists for this vulnerability. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Authenticate as low-privileged user

Exploit

Craft JSON-RPC deleteUserAccount request

Execution

Submit POST to /jsonrpc/management endpoint

Impact

Delete arbitrary user account