CVE-2026-39880 MEDIUM

CVE-2026-39880: Remnawave Backend has a race condition in HWID device limit allows bypassing max devices

Vendor Remnawave
Product backend
Weakness CWE-362
Published April 8, 2026
Last update April 10, 2026

CVSS base score

5.0/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N

What the vulnerability does

01Description

Remnawave Backend is the backend for the Remnawave proxy and user management solution. Prior to 2.7.5, a glitch in the HWID device registration logic allows an authenticated user to bypass the configured limit for HWID devices and register more devices than expected, allowing them to resell subscriptions and consume excessive traffic. This vulnerability is fixed in 2.7.5.

Key dates

02Disclosure timeline

April 8, 2026 CVE published
April 10, 2026 Record updated