What is CVE-2026-26368?

eNet SMART HOME server 2.2.1 and 2.3.1 contains a missing authorization vulnerability in the resetUserPassword JSON-RPC method that allows any authenticated low-privileged user (UG_USER) to reset the ...

How severe is CVE-2026-26368?

CVE-2026-26368 is rated high severity with a CVSS score of 8.8 out of 10.

What products are affected by CVE-2026-26368?

CVE-2026-26368 affects multiple products. Check vendor advisories for specific affected versions.

How do I fix CVE-2026-26368?

Apply the latest security patches from the vendor. If patching is not immediately possible, review the mitigation steps in this advisory and monitor for exploitation attempts.

CVE-2026-26368:

Overview

A critical security flaw has been identified in the eNet SMART HOME server software. This vulnerability allows a user with a standard, low-privilege account to reset the password of any other user on the system, including administrators, without permission or knowledge of the current password.

Vulnerability Details

The vulnerability exists in the resetUserPassword function of the server’s JSON-RPC interface. This function, accessible at the /jsonrpc/management endpoint, fails to verify if the user making the request has the proper authorization. In software versions 2.2.1 and 2.3.1, any user who is logged in-even with the lowest privileges (UG_USER)-can send a specially crafted request to change the password for accounts belonging to high-privilege groups like UG_ADMIN and UG_SUPER_ADMIN.

Impact

The impact of this vulnerability is severe. A malicious actor with any valid user account can:

Take over administrative accounts, granting them full control of the eNet SMART HOME server.
Escalate privileges permanently, as the password change is persistent.
Disrupt system operations, lock out legitimate administrators, and potentially access or manipulate connected smart home devices and sensitive data. This constitutes a complete breach of the system’s access controls.

Affected Products

eNet SMART HOME server version 2.2.1
eNet SMART HOME server version 2.3.1 Other versions may also be affected and should be verified.

Remediation and Mitigation

Immediate Action is Required. If you are running an affected version, you should:

Apply an Official Update: Contact the vendor (eNet) immediately to obtain a patched version of the software. Apply the update as soon as it is available. This is the only complete solution.
Isolate the System (If Patching is Delayed):
- Restrict network access to the eNet server’s management interface (port 80/443) to only trusted, necessary administrative IP addresses using firewall rules.
- Place the server on a segregated network VLAN, isolated from general user and critical infrastructure networks.
Review and Monitor:
- Audit all user accounts, especially administrative ones, for any unauthorized changes. Reset passwords for all administrative accounts from a secure, uncompromised system.
- Closely monitor system and authentication logs for any unusual password reset activity or logins from unexpected locations.

Disclaimer: The mitigation steps are temporary measures. The security of the system cannot be guaranteed until the official vendor patch is applied.

CVE-2026-26368:

Overview

Vulnerability Details

Impact

Affected Products

Remediation and Mitigation

Never miss a critical vulnerability

Related Advisories

Overview

Vulnerability Details

Impact

Affected Products

Remediation and Mitigation

Never miss a critical vulnerability

Related Advisories

Never Miss a Critical Alert