CVE-2026-39880

MEDIUM

Remnawave Backend has a race condition in HWID device limit allows bypassing max devices

Title source: cna

Description

Remnawave Backend is the backend for the Remnawave proxy and user management solution. Prior to 2.7.5, a glitch in the HWID device registration logic allows an authenticated user to bypass the configured limit for HWID devices and register more devices than expected, allowing them to resell subscriptions and consume excessive traffic. This vulnerability is fixed in 2.7.5.

References (1)

[X_Refsource_Confirm] https://github.com/remnawave/backend/security/advisories/GHSA-985p-44h5-v3pq

Scores

CVSS v3 5.0

EPSS 0.0003

EPSS Percentile 8.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-362

Status published

Products (2)

remnawave/backend < 2.7.5

remnawave/remnawave_backend < 2.7.4

Published Apr 08, 2026

Tracked Since Apr 09, 2026