The vulnerability identified as CVE-2026-26368 affects the eNet SMART HOME server software versions 2.2.1 and 2.3.1 developed by JUNG. It stems from a missing authorization check in the resetUserPassword method exposed via the JSON-RPC interface at /jsonrpc/management. This flaw permits any authenticated user with low-level privileges (UG_USER) to reset passwords for any account, including those with administrative (UG_ADMIN) or super-administrative (UG_SUPER_ADMIN) privileges, without providing the current password or having the necessary authorization. The attack vector involves crafting a JSON-RPC request that manipulates the password reset functionality, effectively overwriting credentials of targeted accounts. This leads to immediate account takeover, granting the attacker full administrative control over the smart home server environment. The vulnerability does not require user interaction and can be exploited remotely over the network, with no additional authentication beyond a low-privileged user account. The CVSS 4.0 base score of 8.7 reflects the high impact on confidentiality, integrity, and availability, combined with the low attack complexity and no need for elevated privileges or user interaction. Although no public exploits have been observed in the wild, the vulnerability poses a significant risk to the security of smart home deployments relying on these affected versions. The lack of patch links indicates that immediate vendor remediation may not yet be available, emphasizing the need for alternative mitigations.

This vulnerability allows attackers with minimal privileges to escalate their access to full administrative control over the eNet SMART HOME server, compromising the confidentiality, integrity, and availability of the smart home environment. Attackers can reset passwords for any user, including administrators, enabling persistent unauthorized access and control over connected devices and configurations. This could lead to unauthorized surveillance, manipulation of home automation systems, disabling security features, or causing denial of service. For organizations managing multiple smart home deployments, this could result in widespread compromise, loss of customer trust, and potential regulatory penalties. The remote exploitation capability without user interaction increases the risk of automated attacks and worm-like propagation within vulnerable networks. The impact extends beyond individual homes to enterprises or service providers using this platform for building or facility automation, potentially affecting critical infrastructure components.

Until an official patch is released, organizations should implement strict network segmentation to isolate the eNet SMART HOME server from untrusted networks and restrict access to the /jsonrpc/management endpoint to only trusted administrative hosts. Employ strong authentication mechanisms and monitor logs for unusual password reset requests or account changes. Disable or restrict low-privileged user accounts where possible to reduce the attack surface. Consider deploying Web Application Firewalls (WAF) or Intrusion Detection/Prevention Systems (IDS/IPS) with custom rules to detect and block suspicious JSON-RPC requests targeting password reset functionality. Regularly audit user accounts and credentials for unauthorized changes. Engage with the vendor for updates and apply patches promptly once available. Additionally, educate users and administrators about the risk and encourage immediate reporting of any suspicious activity related to account management.