Remnawave Backend: Excessive Device Registration

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

5.0

Remnawave Backend: Excessive Device Registration

CVE-2026-39880

Summary

Authenticated users can register more devices than allowed, potentially allowing them to resell subscriptions and consume excessive traffic. This can lead to financial losses for the business. Update to version 2.7.5 to fix this issue.

Original title

Original description

Remnawave Backend is the backend for the Remnawave proxy and user management solution. Prior to 2.7.5, a glitch in the HWID device registration logic allows an authenticated user to bypass the configured limit for HWID devices and register more devices than expected, allowing them to resell subscriptions and consume excessive traffic. This vulnerability is fixed in 2.7.5.

nvd CVSS3.1 5.0

Vulnerability type

CWE-362 Race Condition

https://github.com/remnawave/backend/security/advisories/GHSA-985p-44h5-v3pq

Published: 8 Apr 2026 · Updated: 10 Apr 2026 · First seen: 8 Apr 2026