CVE-2026-26368 HIGH

CVE-2026-26368: JUNG eNet SMART HOME server 2.2.1/2.3.1 Account Takeover via resetUserPassword

Vendor Jung
Product eNet SMART HOME server
Weakness CWE-862 · Missing authorization
Published February 15, 2026
Last update February 17, 2026
View on NVD All CVEs

CVSS base score

8.7/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

eNet SMART HOME server 2.2.1 and 2.3.1 contains a missing authorization vulnerability in the resetUserPassword JSON-RPC method that allows any authenticated low-privileged user (UG_USER) to reset the password of arbitrary accounts, including those in the UG_ADMIN and UG_SUPER_ADMIN groups, without supplying the current password or having sufficient privileges. By sending a crafted JSON-RPC request to /jsonrpc/management, an attacker can overwrite existing credentials, resulting in direct account takeover with full administrative access and persistent privilege escalation.

Key dates

02Disclosure timeline

February 15, 2026 CVE published
February 17, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2023-52230 WordPress Booster Plus for WooCommerce plugin < 7.1.3 - Authenticated Arbitrary WordPress Option Disclosure Vulnerability CVE-2025-60077 WordPress YayPricing plugin <= 3.5.3 - Broken Access Control vulnerability CVE-2024-32719 WordPress WP Club Manager plugin <= 2.2.11 - Broken Access Control vulnerability CVE-2025-68000 WordPress Testimonial Slider plugin <= 2.0.15 - Broken Access Control vulnerability CVE-2019-25217 SiteGround Optimizer <= 5.0.12 - Missing Authorization