CVE-2026-39880

Source
https://cve.org/CVERecord?id=CVE-2026-39880
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-39880.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-39880
Aliases
  • GHSA-985p-44h5-v3pq
Published
2026-04-08T20:01:21.673Z
Modified
2026-07-15T01:49:02.406914382Z
Severity
  • 5.0 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N CVSS Calculator
Summary
Remnawave Backend has a race condition in HWID device limit allows bypassing max devices
Details

Remnawave Backend is the backend for the Remnawave proxy and user management solution. Prior to 2.7.5, a glitch in the HWID device registration logic allows an authenticated user to bypass the configured limit for HWID devices and register more devices than expected, allowing them to resell subscriptions and consume excessive traffic. This vulnerability is fixed in 2.7.5.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/39xxx/CVE-2026-39880.json",
    "cwe_ids": [
        "CWE-362"
    ],
    "unresolved_ranges": [
        {
            "extracted_events": [
                {
                    "fixed": "2.7.5"
                }
            ],
            "source": "AFFECTED_FIELD"
        }
    ],
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/remnawave/backend

Affected ranges

Type
GIT
Repo
https://github.com/remnawave/backend
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
Database specific
{
    "cpe": "cpe:2.3:a:remnawave:remnawave_backend:*:*:*:*:*:*:*:*",
    "source": "CPE_RANGE",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "2.7.4"
        }
    ]
}

Affected versions

1.*
1.3.3
1.4.0
1.4.1
1.4.3
1.4.4
1.4.5
1.4.6
1.4.7
1.4.8
1.5.0
1.5.1
1.5.2
1.5.3
1.5.4
1.5.5
1.5.6
1.5.7
1.6.0
1.6.1
1.6.10
1.6.11
1.6.12
1.6.13
1.6.14
1.6.15
1.6.16
1.6.2
1.6.3
1.6.4
1.6.5
1.6.6
1.6.7
1.6.8
1.6.9
2.*
2.0.0
2.0.1
2.0.2
2.0.3
2.0.4
2.0.5
2.0.6
2.0.7
2.0.8
2.1.0
2.1.1
2.1.10
2.1.11
2.1.12
2.1.13
2.1.14
2.1.15
2.1.16
2.1.17
2.1.18
2.1.19
2.1.2
2.1.3
2.1.4
2.1.5
2.1.6
2.1.7
2.1.8
2.1.9
2.2.0
2.2.1
2.2.2
2.2.3
2.2.4
2.2.5
2.2.6
2.3.0
2.3.1
2.3.2
2.4.0
2.4.1
2.4.2
2.4.3
2.4.4
2.5.0
2.5.1
2.5.2
2.5.3
2.5.4
2.5.5
2.5.6
2.5.7
2.6.0
2.6.1
2.6.2
2.6.3
2.6.4
2.7.0
2.7.1
2.7.2
2.7.3
2.7.4

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-39880.json"