Description
Remnawave Backend is the backend for the Remnawave proxy and user management solution. Prior to 2.7.5, a glitch in the HWID device registration logic allows an authenticated user to bypass the configured limit for HWID devices and register more devices than expected, allowing them to resell subscriptions and consume excessive traffic. This vulnerability is fixed in 2.7.5.
Published: 2026-04-08
Score: 5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Resource Abuse and Potential Service Degradation
Action: Immediate Patch
AI Analysis

Impact

The affected backend contains a race condition within the HWID device registration logic. An authenticated user can take advantage of this flaw to bypass the system‑configured maximum number of HWID devices, allowing registration of additional devices beyond the allowed quota. This exploitation enables the user to resell subscriptions and consume traffic in excess of what the subscription permits, leading to potential financial loss and service degradation for other customers.

Affected Systems

Remnawave Backend, all releases prior to version 2.7.5. The vulnerability is fixed in version 2.7.5. Any deployment using older releases with a configured HWID device limit is vulnerable.

Risk and Exploitability

The CVSS v3.1 score of 5.0 indicates medium severity. Because the flaw requires the attacker to be an authenticated user and there is no publicly disclosed exploit code, the immediate risk is moderated, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires a race condition during concurrent device registration, which may be difficult to reliably trigger without repeated attempts. Nevertheless, the ability to bypass device limits can result in resource abuse and increased operational costs.

Generated by OpenCVE AI on April 8, 2026 at 21:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Remnawave Backend to version 2.7.5 or newer.
  • Confirm that the HWID device limit is enforced after the upgrade.
  • If an upgrade is not immediately possible, temporarily reduce the maximum device allowance or monitor device registration activity for anomalies.

Generated by OpenCVE AI on April 8, 2026 at 21:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 09 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
First Time appeared Remnawave
Remnawave backend
Vendors & Products Remnawave
Remnawave backend

Wed, 08 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Description Remnawave Backend is the backend for the Remnawave proxy and user management solution. Prior to 2.7.5, a glitch in the HWID device registration logic allows an authenticated user to bypass the configured limit for HWID devices and register more devices than expected, allowing them to resell subscriptions and consume excessive traffic. This vulnerability is fixed in 2.7.5.
Title Remnawave Backend has a race condition in HWID device limit allows bypassing max devices
Weaknesses CWE-362
References
Metrics cvssV3_1

{'score': 5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N'}

Subscriptions

Remnawave Backend
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-08T20:01:21.673Z

Reserved: 2026-04-07T20:32:03.010Z

Link: CVE-2026-39880

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-08T20:16:26.850

Modified: 2026-04-08T21:26:13.410

Link: CVE-2026-39880

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-09T08:27:29Z

Weaknesses