The vulnerability identified as CVE-2026-26367 affects the JUNG eNet SMART HOME server versions 2.2.1 and 2.3.1. It is caused by a missing authorization check in the deleteUserAccount JSON-RPC method. Specifically, the server fails to enforce role-based access control, allowing any authenticated user with low privileges (UG_USER) to invoke this method and delete arbitrary user accounts, excluding only the built-in administrator account. The attack vector involves sending a crafted POST request to the /jsonrpc/management endpoint with a payload specifying the username of the target account to be deleted. Because the server does not require elevated privileges or additional confirmation prompts, this flaw can be exploited remotely without user interaction. The vulnerability impacts the integrity and availability of user accounts, potentially disrupting smart home management and user access. The CVSS 4.0 base score is 7.1, reflecting high severity due to network attack vector, low attack complexity, no privileges required beyond standard user, and no user interaction needed. No known exploits have been reported in the wild as of the publication date. The lack of authorization controls on critical account management functions represents a significant security oversight in the affected software versions.

This vulnerability can have serious consequences for organizations and individuals relying on the JUNG eNet SMART HOME server for managing smart home devices and user accounts. Unauthorized deletion of user accounts can lead to denial of service for legitimate users, loss of personalized configurations, and potential disruption of smart home automation. In multi-user environments, attackers could remove other users to gain exclusive control or cause operational chaos. Although the built-in admin account is protected, the removal of other user accounts can still severely impact system usability and trust. The flaw undermines the integrity of user management and could be leveraged as a stepping stone for further attacks if combined with other vulnerabilities. Organizations may face operational downtime, increased support costs, and reputational damage if exploited. Given the network-accessible nature of the vulnerability and the absence of required elevated privileges, the attack surface is broad, increasing the risk of exploitation in environments where multiple users have standard access.

To mitigate this vulnerability, organizations should immediately upgrade to a patched version of the eNet SMART HOME server once available from JUNG. In the absence of an official patch, administrators should restrict access to the /jsonrpc/management endpoint to trusted users only, using network segmentation, firewall rules, or VPN access controls. Implementing additional authentication and authorization layers at the network perimeter or via reverse proxies can help enforce role-based access control externally. Monitoring and logging JSON-RPC requests for suspicious deleteUserAccount calls can aid in early detection of exploitation attempts. User account management policies should be reviewed to limit the number of low-privileged users and enforce strong authentication mechanisms. Additionally, organizations should educate users about the risk and encourage reporting of unexpected account deletions. Finally, consider deploying intrusion detection systems capable of recognizing anomalous API calls targeting user management functions.