Skip to main content

Remnawave Backend CVE-2026-39880

| EUVDEUVD-2026-20620 MEDIUM
Race Condition (CWE-362)
2026-04-08 security-advisories@github.com
5.0
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.0 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

4
Patch available
Apr 16, 2026 - 05:29 EUVD
2.7.5
EUVD ID Assigned
Apr 08, 2026 - 20:23 euvd
EUVD-2026-20620
Analysis Generated
Apr 08, 2026 - 20:23 vuln.today
CVE Published
Apr 08, 2026 - 20:16 nvd
MEDIUM 5.0

DescriptionGitHub Advisory

Remnawave Backend is the backend for the Remnawave proxy and user management solution. Prior to 2.7.5, a glitch in the HWID device registration logic allows an authenticated user to bypass the configured limit for HWID devices and register more devices than expected, allowing them to resell subscriptions and consume excessive traffic. This vulnerability is fixed in 2.7.5.

AnalysisAI

Remnawave Backend prior to version 2.7.5 allows authenticated users to bypass HWID device registration limits through a race condition in the device registration logic, enabling subscription resale and excessive traffic consumption. The vulnerability requires valid authentication credentials but affects the integrity of subscription management controls across the system. A vendor-released patch is available in version 2.7.5.

Technical ContextAI

Remnawave Backend implements HWID (Hardware ID) device registration as part of its proxy and user management solution to enforce per-user device limits and prevent subscription abuse. The vulnerability stems from a race condition (CWE-362) in the device registration logic, where concurrent registration requests can circumvent the configured device limit enforcement. This occurs at the application layer where device count validation is performed without proper synchronization, allowing an authenticated attacker to register additional devices by exploiting timing windows between limit checks and device creation. The issue affects authenticated sessions with existing user accounts, indicating the race condition manifests in the backend's registration workflow rather than initial authentication.

RemediationAI

Upgrade Remnawave Backend to version 2.7.5 or later to apply the fix for the HWID device registration race condition. Organizations running versions prior to 2.7.5 should prioritize this upgrade to restore proper device limit enforcement and prevent subscription abuse. For environments unable to upgrade immediately, restrict HWID device registration API access to trusted administrators and monitor device registration logs for anomalous concurrent registration patterns. Detailed remediation guidance is available in the GitHub security advisory at https://github.com/remnawave/backend/security/advisories/GHSA-985p-44h5-v3pq.

Share

CVE-2026-39880 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy