CVE-2026-39880
Received Received - Intake
Authentication Bypass in Remnawave Backend Allows Device Limit Evasion

Publication date: 2026-04-08

Last updated on: 2026-04-17

Assigner: GitHub, Inc.

Description
Remnawave Backend is the backend for the Remnawave proxy and user management solution. Prior to 2.7.5, a glitch in the HWID device registration logic allows an authenticated user to bypass the configured limit for HWID devices and register more devices than expected, allowing them to resell subscriptions and consume excessive traffic. This vulnerability is fixed in 2.7.5.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-08
Last Modified
2026-04-17
Generated
2026-06-16
AI Q&A
2026-04-09
EPSS Evaluated
2026-06-15
NVD
CVE-2026-39880
EUVD
EUVD-2026-20620
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
remnawave remnawave_backend to 2.7.4 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-362 The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability allows authenticated users to bypass device registration limits, leading to excessive resource consumption and potential unauthorized reselling of subscriptions.

While the CVE description does not explicitly mention compliance with standards like GDPR or HIPAA, the ability to circumvent device limits and resell subscriptions could indirectly impact compliance by undermining access controls and resource management policies.

However, there is no direct information provided about data confidentiality breaches or personal data exposure that would clearly affect GDPR or HIPAA compliance.

Executive Summary

CVE-2026-39880 is a race condition vulnerability in the HWID (Hardware ID) device registration logic of the Remnawave Backend, affecting versions prior to 2.7.5.

The flaw occurs because the code that enforces the maximum allowed HWID devices per user does not use atomic operations or transactional locking. This means multiple concurrent requests can bypass the device limit by simultaneously checking the current number of registered devices before any new registrations are committed.

As a result, an authenticated user can register more devices than the configured limit, enabling them to resell subscriptions and consume excessive traffic.

Impact Analysis

This vulnerability allows authenticated users to bypass device registration limits, which can lead to several negative impacts:

  • Service owners lose control over device limits, resulting in increased resource consumption and traffic.
  • Abusive users can register more devices than allowed, potentially reselling subscriptions.
  • Legitimate customers and resellers may be disadvantaged due to resource abuse by others.
Detection Guidance

This vulnerability can be detected by monitoring for multiple concurrent device registration requests from the same authenticated user that exceed the configured HWID device limit.

A practical detection method involves intercepting and analyzing device registration requests to identify if multiple registrations are occurring simultaneously, bypassing the device limit.

For example, you can use network traffic analysis tools or proxy logs to detect repeated or concurrent POST/GET requests to the device registration endpoint.

While no specific commands are provided, you might use tools like tcpdump, Wireshark, or HTTP proxy logs to capture and analyze these requests.

Additionally, scripting with curl or similar tools to simulate concurrent device registration requests can help verify if the system is vulnerable.

Mitigation Strategies

The immediate mitigation step is to upgrade the Remnawave Backend to version 2.7.5 or later, where this race condition vulnerability has been fixed.

Until the upgrade can be applied, consider implementing transactional locking or atomic operations around the HWID device registration logic to prevent concurrent requests from bypassing device limits.

Monitoring and rate-limiting device registration requests per user can also help reduce the risk of exploitation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-39880. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart