CVE-2026-39880 PUBLISHED

Remnawave Backend has a race condition in HWID device limit allows bypassing max devices

Assigner: GitHub_M
Reserved: 07.04.2026 Published: 08.04.2026 Updated: 08.04.2026

Remnawave Backend is the backend for the Remnawave proxy and user management solution. Prior to 2.7.5, a glitch in the HWID device registration logic allows an authenticated user to bypass the configured limit for HWID devices and register more devices than expected, allowing them to resell subscriptions and consume excessive traffic. This vulnerability is fixed in 2.7.5.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N
CVSS Score: 5

Attack Vector	Network	Scope	Changed
Attack Complexity	Low	Confidentiality Impact	None
Privileges Required	Low	Integrity Impact	Low
User Interaction	None	Availability Impact	None

CVSS 3.1

Product Status

Vendor	remnawave
Product	backend
Versions	Version < 2.7.5 is affected

References

https://github.com/remnawave/backend/security/advisories/GHSA-985p-44h5-v3pq

Problem Types

CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') CWE