CVE-2026-26369
CRITICALeNet SMART HOME 2.2.1/2.3.1 - Privilege Escalation
Title source: llmDescription
eNet SMART HOME server 2.2.1 and 2.3.1 contains a privilege escalation vulnerability due to insufficient authorization checks in the setUserGroup JSON-RPC method. A low-privileged user (UG_USER) can send a crafted POST request to /jsonrpc/management specifying their own username to elevate their account to the UG_ADMIN group, bypassing intended access controls and gaining administrative capabilities such as modifying device configurations, network settings, and other smart home system functions.
References (2)
Core 2
Core References
Third Party Advisory third-party-advisory
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2026-5975.php
Third Party Advisory third-party-advisory
https://www.vulncheck.com/advisories/jung-enet-smart-home-server-privilege-escalation-v
Scores
CVSS v3
9.8
EPSS
0.0064
EPSS Percentile
45.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
total
Details
CWE
CWE-269
Status
published
Products (2)
jung-group/enet_smart_home
2.2.1
jung-group/enet_smart_home
2.3.1
Published
Feb 15, 2026
Tracked Since
Feb 18, 2026