{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39880", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-07T20:32:03.010Z", "datePublished": "2026-04-08T20:01:21.673Z", "dateUpdated": "2026-04-10T20:48:07.233Z"}, "containers": {"cna": {"title": "Remnawave Backend has a race condition in HWID device limit allows bypassing max devices", "problemTypes": [{"descriptions": [{"cweId": "CWE-362", "lang": "en", "description": "CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/remnawave/backend/security/advisories/GHSA-985p-44h5-v3pq", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/remnawave/backend/security/advisories/GHSA-985p-44h5-v3pq"}], "affected": [{"vendor": "remnawave", "product": "backend", "versions": [{"version": "< 2.7.5", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-08T20:01:21.673Z"}, "descriptions": [{"lang": "en", "value": "Remnawave Backend is the backend for the Remnawave proxy and user management solution. Prior to 2.7.5, a glitch in the HWID device registration logic allows an authenticated user to bypass the configured limit for HWID devices and register more devices than expected, allowing them to resell subscriptions and consume excessive traffic. This vulnerability is fixed in 2.7.5."}], "source": {"advisory": "GHSA-985p-44h5-v3pq", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-10T20:47:30.302993Z", "id": "CVE-2026-39880", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-10T20:48:07.233Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-39880", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-10T20:47:30.302993Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-10T20:48:02.960Z"}}], "cna": {"title": "Remnawave Backend has a race condition in HWID device limit allows bypassing max devices", "source": {"advisory": "GHSA-985p-44h5-v3pq", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "remnawave", "product": "backend", "versions": [{"status": "affected", "version": "< 2.7.5"}]}], "references": [{"url": "https://github.com/remnawave/backend/security/advisories/GHSA-985p-44h5-v3pq", "name": "https://github.com/remnawave/backend/security/advisories/GHSA-985p-44h5-v3pq", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Remnawave Backend is the backend for the Remnawave proxy and user management solution. Prior to 2.7.5, a glitch in the HWID device registration logic allows an authenticated user to bypass the configured limit for HWID devices and register more devices than expected, allowing them to resell subscriptions and consume excessive traffic. This vulnerability is fixed in 2.7.5."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-362", "description": "CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-08T20:01:21.673Z"}}}, "cveMetadata": {"cveId": "CVE-2026-39880", "state": "PUBLISHED", "dateUpdated": "2026-04-10T20:48:07.233Z", "dateReserved": "2026-04-07T20:32:03.010Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-08T20:01:21.673Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:remnawave:remnawave_backend:*:*:*:*:*:*:*:*", "matchCriteriaId": "50EC0CF7-868B-4DE4-8566-D7D9F11258C0", "versionEndIncluding": "2.7.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Remnawave Backend is the backend for the Remnawave proxy and user management solution. Prior to 2.7.5, a glitch in the HWID device registration logic allows an authenticated user to bypass the configured limit for HWID devices and register more devices than expected, allowing them to resell subscriptions and consume excessive traffic. This vulnerability is fixed in 2.7.5."}], "id": "CVE-2026-39880", "lastModified": "2026-04-17T20:38:20.587", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.0, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 4.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-04-08T20:16:26.850", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/remnawave/backend/security/advisories/GHSA-985p-44h5-v3pq"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-362"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.7.5)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "backend", "source": "cna", "vendor": "remnawave"}, "product": "backend", "vendor": "remnawave"}], "analysis": {"en": {"generated_at": "2026-04-08T21:25:05.466815+00:00", "value": {"mitigation_remediation": ["Upgrade Remnawave Backend to version 2.7.5 or newer.", "Confirm that the HWID device limit is enforced after the upgrade.", "If an upgrade is not immediately possible, temporarily reduce the maximum device allowance or monitor device registration activity for anomalies."], "summary": {"action": "Immediate Patch", "impact": "Resource Abuse and Potential Service Degradation"}, "threat_synthesis": {"affected_systems": "Remnawave Backend, all releases prior to version 2.7.5. The vulnerability is fixed in version 2.7.5. Any deployment using older releases with a configured HWID device limit is vulnerable.", "description_and_impact": "The affected backend contains a race condition within the HWID device registration logic. An authenticated user can take advantage of this flaw to bypass the system\u2011configured maximum number of HWID devices, allowing registration of additional devices beyond the allowed quota. This exploitation enables the user to resell subscriptions and consume traffic in excess of what the subscription permits, leading to potential financial loss and service degradation for other customers.", "risk_and_exploitability": "The CVSS v3.1 score of 5.0 indicates medium severity. Because the flaw requires the attacker to be an authenticated user and there is no publicly disclosed exploit code, the immediate risk is moderated, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires a race condition during concurrent device registration, which may be difficult to reliably trigger without repeated attempts. Nevertheless, the ability to bypass device limits can result in resource abuse and increased operational costs."}}}}, "created": "2026-04-09T08:18:07.285509+00:00", "updated": "2026-04-09T08:27:29.808733+00:00", "vendors": ["remnawave", "remnawave$PRODUCT$backend"]}