The vulnerability identified as CVE-2026-26367 affects JUNG's eNet SMART HOME server versions 2.2.1 and 2.3.1. It stems from a missing authorization check in the deleteUserAccount JSON-RPC method, which is intended to allow user account deletion. However, the server fails to enforce role-based access control, permitting any authenticated user with low privileges (UG_USER) to delete arbitrary user accounts except the built-in admin account. This is achieved by sending a crafted POST request to the /jsonrpc/management endpoint specifying the target username for deletion. The vulnerability does not require elevated privileges beyond standard user authentication, nor does it require user interaction, making it remotely exploitable over the network. The CVSS 4.0 score of 7.1 reflects high severity due to the ease of exploitation (low attack complexity, no privileges beyond user, no user interaction) and the significant impact on integrity and availability of user accounts. The flaw could allow attackers to disrupt smart home management by removing legitimate users, potentially locking out authorized users or causing denial of service in multi-user environments. No patches or exploits are currently reported, but the vulnerability's nature demands prompt attention. The eNet SMART HOME server is used primarily in residential and commercial smart home deployments, where user account integrity is critical for secure operation.

For European organizations, this vulnerability poses a significant risk to the integrity and availability of smart home management systems. Unauthorized deletion of user accounts could lead to denial of service for legitimate users, disruption of automated home functions, and potential security gaps if user roles are manipulated. In multi-user environments, such as managed residential complexes or smart office buildings, this could cause operational interruptions and loss of control over smart devices. The lack of proper authorization checks means that insider threats or compromised low-privileged accounts can escalate impact without needing administrative credentials. Given the growing adoption of smart home technologies in Europe, particularly in countries with high smart device penetration, this vulnerability could affect both private consumers and service providers managing smart home infrastructures. The absence of known exploits reduces immediate risk but does not diminish the urgency for mitigation, as the vulnerability is straightforward to exploit remotely.

1. Immediately restrict network access to the /jsonrpc/management endpoint by implementing firewall rules or network segmentation to limit access only to trusted administrative networks or devices. 2. Enforce strong authentication and monitoring on all user accounts, especially low-privileged users, to detect unusual activity such as unexpected account deletions. 3. If possible, upgrade to a patched version of the eNet SMART HOME server once available from JUNG. 4. In the absence of patches, implement application-layer proxies or web application firewalls (WAFs) to inspect and block unauthorized deleteUserAccount JSON-RPC requests. 5. Conduct regular audits of user accounts to quickly identify and restore any unauthorized deletions. 6. Educate users and administrators about the risk of this vulnerability and encourage immediate reporting of any anomalies. 7. Consider isolating smart home management servers from general user networks to reduce exposure. 8. Monitor vendor communications for updates or patches and apply them promptly.