The vulnerability identified as CVE-2026-26368 affects the eNet SMART HOME server software developed by JUNG, specifically versions 2.2.1 and 2.3.1. The issue lies in the resetUserPassword JSON-RPC method, which lacks proper authorization checks. This flaw permits any authenticated user with low privileges (UG_USER) to reset the passwords of any user accounts, including those with administrative (UG_ADMIN) and super-administrative (UG_SUPER_ADMIN) privileges, without supplying the current password or having the necessary rights. The attack vector involves sending a specially crafted JSON-RPC request to the /jsonrpc/management endpoint, which the server processes without verifying the requester's authorization level. This results in overwriting existing credentials, enabling the attacker to take over accounts with full administrative control. The vulnerability is remotely exploitable over the network without user interaction and does not require elevated privileges beyond a low-level authenticated user. The CVSS 4.0 base score is 8.7, reflecting high severity due to the ease of exploitation, lack of required user interaction, and the significant impact on confidentiality, integrity, and availability. No public exploits have been reported yet, but the vulnerability presents a critical risk for environments relying on these versions of the eNet SMART HOME server, especially where multiple user roles exist and smart home management is critical.

For European organizations, the impact of this vulnerability is significant, especially for those deploying JUNG's eNet SMART HOME server in residential, commercial, or industrial smart building environments. Successful exploitation leads to unauthorized administrative access, allowing attackers to manipulate smart home configurations, disable security controls, or disrupt services. This compromises confidentiality by exposing sensitive user data and credentials, integrity by enabling unauthorized changes to system settings, and availability by potentially disabling or impairing smart home functionalities. The persistent privilege escalation can facilitate lateral movement within networks, increasing the risk of broader compromise. Given the growing adoption of smart home and building automation solutions in Europe, this vulnerability could affect critical infrastructure, corporate facilities, and private residences, leading to privacy violations, operational disruptions, and potential safety hazards. The lack of known exploits currently provides a window for mitigation, but the high severity score underscores the urgency for affected organizations to act promptly.

To mitigate this vulnerability, organizations should first verify if they are running affected versions 2.2.1 or 2.3.1 of the eNet SMART HOME server. Immediate steps include: 1) Applying any available vendor patches or updates as soon as they are released; 2) If patches are not yet available, restrict access to the /jsonrpc/management endpoint by implementing network-level controls such as firewall rules or VPN requirements to limit access to trusted users only; 3) Enforce strong authentication mechanisms and monitor logs for unusual password reset activities or unauthorized access attempts; 4) Conduct regular audits of user accounts and privileges to detect unauthorized changes; 5) Segment smart home management systems from other critical networks to contain potential breaches; 6) Engage with the vendor for guidance on interim fixes or workarounds; 7) Educate users about the risk and encourage reporting of suspicious behavior. These targeted actions go beyond generic advice by focusing on access control hardening and proactive monitoring specific to the vulnerability's exploitation vector.