CVE-2026-26369
CRITICAL WAF: Low
CVSS 9.8
Published: 2026-02-15
CWE-269
eNet SMART HOME server 2.2.1 and 2.3.1 contains a privilege escalation vulnerability due to insufficient authorization checks in the setUserGroup JSON-RPC method. A low-privileged user (UG_USER) can send a crafted POST request to /jsonrpc/management specifying their own username to elevate their account to the UG_ADMIN group, bypassing intended access controls and gaining administrative capabilities such as modifying device configurations, network settings, and other smart home system functions.
WAF Coverage Analysis
Improper Privilege Management
Low WAF Coverage
OWASP: A01:2021 Broken Access Control
Affected Software
| Vendor | Product | Version |
|---|---|---|
| jung-group | enet_smart_home | 2.2.1 |
| jung-group | enet_smart_home | 2.3.1 |
References
- www.vulncheck.com (Broken Link)
- www.zeroscience.mk (Third Party Advisory, Exploit)