{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22819", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-09T22:50:10.289Z", "datePublished": "2026-01-14T18:04:33.426Z", "dateUpdated": "2026-01-14T21:13:36.389Z"}, "containers": {"cna": {"title": "Outray has a Race Condition in main/apps/web/src/routes/api/$orgSlug/subdomains/index.ts", "problemTypes": [{"descriptions": [{"cweId": "CWE-366", "lang": "en", "description": "CWE-366: Race Condition within a Thread", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/outray-tunnel/outray/security/advisories/GHSA-45hj-9x76-wp9g", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/outray-tunnel/outray/security/advisories/GHSA-45hj-9x76-wp9g"}, {"name": "https://github.com/outray-tunnel/outray/commit/73e8a09575754fb4c395438680454b2ec064d1d6", "tags": ["x_refsource_MISC"], "url": "https://github.com/outray-tunnel/outray/commit/73e8a09575754fb4c395438680454b2ec064d1d6"}], "affected": [{"vendor": "akinloluwami", "product": "outray", "versions": [{"version": "< 0.1.5", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-14T18:04:33.426Z"}, "descriptions": [{"lang": "en", "value": "Outray openSource ngrok alternative. Prior to 0.1.5, this vulnerability allows a user i.e a free plan user to get more than the desired subdomains due to lack of db transaction lock mechanisms in main/apps/web/src/routes/api/$orgSlug/subdomains/index.ts. This vulnerability is fixed in 0.1.5."}], "source": {"advisory": "GHSA-45hj-9x76-wp9g", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-14T21:13:28.883339Z", "id": "CVE-2026-22819", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-14T21:13:36.389Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-22819", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-14T21:13:28.883339Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-14T21:13:33.628Z"}}], "cna": {"title": "Outray has a Race Condition in main/apps/web/src/routes/api/$orgSlug/subdomains/index.ts", "source": {"advisory": "GHSA-45hj-9x76-wp9g", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:H", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "akinloluwami", "product": "outray", "versions": [{"status": "affected", "version": "< 0.1.5"}]}], "references": [{"url": "https://github.com/outray-tunnel/outray/security/advisories/GHSA-45hj-9x76-wp9g", "name": "https://github.com/outray-tunnel/outray/security/advisories/GHSA-45hj-9x76-wp9g", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/outray-tunnel/outray/commit/73e8a09575754fb4c395438680454b2ec064d1d6", "name": "https://github.com/outray-tunnel/outray/commit/73e8a09575754fb4c395438680454b2ec064d1d6", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Outray openSource ngrok alternative. Prior to 0.1.5, this vulnerability allows a user i.e a free plan user to get more than the desired subdomains due to lack of db transaction lock mechanisms in main/apps/web/src/routes/api/$orgSlug/subdomains/index.ts. This vulnerability is fixed in 0.1.5."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-366", "description": "CWE-366: Race Condition within a Thread"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-14T18:04:33.426Z"}}}, "cveMetadata": {"cveId": "CVE-2026-22819", "state": "PUBLISHED", "dateUpdated": "2026-01-14T21:13:36.389Z", "dateReserved": "2026-01-09T22:50:10.289Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-01-14T18:04:33.426Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:outray:outray:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "DD246CCB-2E70-40B6-9BA8-ADAB45DF1296", "versionEndExcluding": "0.1.5", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Outray openSource ngrok alternative. Prior to 0.1.5, this vulnerability allows a user i.e a free plan user to get more than the desired subdomains due to lack of db transaction lock mechanisms in main/apps/web/src/routes/api/$orgSlug/subdomains/index.ts. This vulnerability is fixed in 0.1.5."}], "id": "CVE-2026-22819", "lastModified": "2026-01-20T14:56:26.523", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:H", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 4.2, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.1, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-01-14T18:16:42.330", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/outray-tunnel/outray/commit/73e8a09575754fb4c395438680454b2ec064d1d6"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/outray-tunnel/outray/security/advisories/GHSA-45hj-9x76-wp9g"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-366"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T06:16:53.997192+00:00", "value": {"mitigation_remediation": ["Upgrade Outray to version 0.1.5 or newer to apply the race\u2011condition fix", "Verify that database transaction locks are enabled for the subdomain creation endpoint to prevent concurrent allocations", "Monitor subdomain creation logs for anomalous spikes and enforce quota limits automatically for accounts that exceed the stated allowance"], "summary": {"action": "Patch", "impact": "Unauthorized subdomain allocation"}, "threat_synthesis": {"affected_systems": "Outray, an open\u2011source ngrok alternative maintained by akinloluwami, is affected in all releases prior to version 0.1.5. The vulnerability was fixed in 0.1.5, so any deployment running an earlier version is vulnerable. The affected component is the subdomain creation route located at main/apps/web/src/routes/api/$orgSlug/subdomains/index.ts.", "description_and_impact": "The race condition in Outray's subdomain creation endpoint allows a free plan user to create more subdomains than the service limits permit. By sending concurrent requests, the application\u2019s missing database transaction locks enable duplicate allocations, leading to unauthorized subdomain provisioning. The exploit does not expose sensitive data but permits users to exceed quota, which can be used for resource abuse or to create misleading or malicious subdomains.", "risk_and_exploitability": "The CVSS score of 5.9 indicates moderate severity, while the EPSS score of less than 1% shows that exploitation is currently unlikely. Because the flaw is triggered by concurrent web API calls from an authenticated free\u2011plan account, the attack vector is local to the application but requires legitimate user access. The vulnerability is not listed in CISA\u2019s KEV catalogue, suggesting no known supply\u2011chain exploitation but still warrants prompt containment."}}}}, "created": "2026-01-15T08:03:19.785527+00:00", "updated": "2026-04-18T06:30:25.899900+00:00", "vendors": ["outray-tunnel", "outray-tunnel$PRODUCT$outray"]}