What is the CVSS score of CVE-2026-26368?

CVE-2026-26368 has a CVSS 3.1 base score of 8.8 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.0%.

Which versions of Enet Smart Home are affected by CVE-2026-26368?

Any authenticated user with basic privileges can reset passwords of administrative accounts in eNet SMART HOME servers (versions 2.2.1 and 2.3.1), potentially gaining full system control.

Is there a public PoC exploit available for CVE-2026-26368?

Yes, a public proof-of-concept exploit is available for CVE-2026-26368. Prioritise patching immediately. EPSS: 0.0%.

How to fix or mitigate CVE-2026-26368?

Within 24 hours: Inventory all eNet SMART HOME deployments and document affected versions; restrict network access to these systems to trusted administrators only. Within 7 days: Implement enhanced monitoring and audit logging of password reset activities; consider disabling the resetUserPassword JSON-RPC method if operationally feasible. Within 30 days: Develop an upgrade plan to patched versions as soon as the vendor releases patches; evaluate alternative products if upgrade timelines are unacceptable.

Enet Smart Home CVE-2026-26368

HIGH

Missing Authorization (CWE-862)

2026-02-15 disclosure@vulncheck.com

Privilege Escalation Enet Smart Home

8.8

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

8.8 HIGH

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:54 vuln.today

PoC Detected

Feb 28, 2026 - 01:33 vuln.today

Public exploit code

CVE Published

Feb 15, 2026 - 16:15 nvd

HIGH 8.8

DescriptionCVE.org

eNet SMART HOME server 2.2.1 and 2.3.1 contains a missing authorization vulnerability in the resetUserPassword JSON-RPC method that allows any authenticated low-privileged user (UG_USER) to reset the password of arbitrary accounts, including those in the UG_ADMIN and UG_SUPER_ADMIN groups, without supplying the current password or having sufficient privileges. By sending a crafted JSON-RPC request to /jsonrpc/management, an attacker can overwrite existing credentials, resulting in direct account takeover with full administrative access and persistent privilege escalation.

AnalysisAI

eNet Smart Home server versions 2.2.1 and 2.3.1 suffer from missing authorization checks in the resetUserPassword JSON-RPC method, allowing any authenticated low-privileged user to reset passwords for administrative accounts without proper verification. Public exploit code exists for this vulnerability, enabling attackers to achieve immediate privilege escalation and gain full administrative control over the smart home system. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Authenticate as low-privileged user

Delivery

Send crafted JSON-RPC request to /jsonrpc/management

Exploit

Call resetUserPassword method with admin account target

Execution

Overwrite admin credentials

Impact

Gain administrative access

Access

Authenticate as low-privileged user

Delivery

Send crafted JSON-RPC request to /jsonrpc/management

Exploit

Call resetUserPassword method with admin account target

Execution

Overwrite admin credentials

Impact

Gain administrative access

Vulnerability AssessmentAI

Exploitation	Attacker must possess valid low-privileged UG_USER credentials on eNet SMART HOME server versions 2.2.1 or 2.3.1. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	CVSS 8.8 (HIGH). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker (requires authentication) could exploit this flaw, direct account takeover with full administrative access and.
Remediation	Monitor vendor advisories for a patch. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all eNet SMART HOME deployments and document affected versions; restrict network access to these systems to trusted administrators only. …

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-26368 vulnerability details – vuln.today

Back

Enet Smart Home CVE-2026-26368

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

Share

External POC / Exploit Code