{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22820", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-09T22:50:10.289Z", "datePublished": "2026-01-14T15:06:51.127Z", "dateUpdated": "2026-01-14T15:19:46.837Z"}, "containers": {"cna": {"title": "Outray cli is vulnerable to race conditions in tunnels creation", "problemTypes": [{"descriptions": [{"cweId": "CWE-367", "lang": "en", "description": "CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 6.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/outray-tunnel/outray/security/advisories/GHSA-3pqc-836w-jgr7", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/outray-tunnel/outray/security/advisories/GHSA-3pqc-836w-jgr7"}, {"name": "https://github.com/outray-tunnel/outray/commit/08c61495761349e7fd2965229c3faa8d7b1c1581", "tags": ["x_refsource_MISC"], "url": "https://github.com/outray-tunnel/outray/commit/08c61495761349e7fd2965229c3faa8d7b1c1581"}], "affected": [{"vendor": "akinloluwami", "product": "outray", "versions": [{"version": "< 0.1.5", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-14T15:06:51.127Z"}, "descriptions": [{"lang": "en", "value": "Outray openSource ngrok alternative. Prior to 0.1.5, a TOCTOU race condition vulnerability allows a user to exceed the set number of active tunnels in their subscription plan. This vulnerability is fixed in 0.1.5."}], "source": {"advisory": "GHSA-3pqc-836w-jgr7", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-14T15:19:14.539463Z", "id": "CVE-2026-22820", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-14T15:19:46.837Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-22820", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-14T15:19:14.539463Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-14T15:19:38.672Z"}}], "cna": {"title": "Outray cli is vulnerable to race conditions in tunnels creation", "source": {"advisory": "GHSA-3pqc-836w-jgr7", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "akinloluwami", "product": "outray", "versions": [{"status": "affected", "version": "< 0.1.5"}]}], "references": [{"url": "https://github.com/outray-tunnel/outray/security/advisories/GHSA-3pqc-836w-jgr7", "name": "https://github.com/outray-tunnel/outray/security/advisories/GHSA-3pqc-836w-jgr7", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/outray-tunnel/outray/commit/08c61495761349e7fd2965229c3faa8d7b1c1581", "name": "https://github.com/outray-tunnel/outray/commit/08c61495761349e7fd2965229c3faa8d7b1c1581", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Outray openSource ngrok alternative. Prior to 0.1.5, a TOCTOU race condition vulnerability allows a user to exceed the set number of active tunnels in their subscription plan. This vulnerability is fixed in 0.1.5."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-367", "description": "CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-14T15:06:51.127Z"}}}, "cveMetadata": {"cveId": "CVE-2026-22820", "state": "PUBLISHED", "dateUpdated": "2026-01-14T15:19:46.837Z", "dateReserved": "2026-01-09T22:50:10.289Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-01-14T15:06:51.127Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:outray:outray:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "DD246CCB-2E70-40B6-9BA8-ADAB45DF1296", "versionEndExcluding": "0.1.5", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Outray openSource ngrok alternative. Prior to 0.1.5, a TOCTOU race condition vulnerability allows a user to exceed the set number of active tunnels in their subscription plan. This vulnerability is fixed in 0.1.5."}], "id": "CVE-2026-22820", "lastModified": "2026-01-20T14:52:10.373", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.7, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "HIGH", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-01-14T15:16:05.663", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/outray-tunnel/outray/commit/08c61495761349e7fd2965229c3faa8d7b1c1581"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/outray-tunnel/outray/security/advisories/GHSA-3pqc-836w-jgr7"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-367"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T16:18:05.892599+00:00", "value": {"mitigation_remediation": ["Update Outray to version 0.1.5 or newer, which contains the race\u2011condition fix", "If building from source, apply the commit referenced in the advisory (08c61495761349e7fd2965229c3faa8d7b1c1581) to incorporate the patch", "If upgrading is not immediately possible, block or throttle tunnel creation through external firewall rules or application\u2011level limits to enforce the subscription quota"], "summary": {"action": "Patch", "impact": "Exceeded tunnel limits (resource abuse)"}, "threat_synthesis": {"affected_systems": "The vulnerable product is Outray, an open\u2011source ngrok alternative developed by akinloluwami. Any installation of Outray older than version 0.1.5 is affected. The problem was fixed in 0.1.5 and later releases are immune.", "description_and_impact": "The issue is a time\u2011of\u2011check to time\u2011of\u2011use race condition that allows a user to create more tunnels than are permitted by their subscription. The counter that tracks active tunnels is updated in a non\u2011atomic way; when two tunnel Creation requests occur concurrently, both can pass the check before the counter is incremented, resulting in an over\u2011run of the tunnel quota. This resource abuse can lead to denial of service for other users or a breach of contractual limits.", "risk_and_exploitability": "The CVSS score of 6.3 indicates a medium severity. The EPSS metric is below 1\u202f%, suggesting a very low likelihood of exploitation. The vulnerability is not listed in CISA\u2019s KEV catalog. The likely attack vector is local or user\u2011level access to the Outray CLI, as the race condition is triggered by concurrent tunnel creation from an authorized session. Once exploited, the attacker can exhaust the tenant\u2019s tunnel quota."}}}}, "created": "2026-01-15T08:03:29.144767+00:00", "updated": "2026-04-18T16:30:05.071728+00:00", "vendors": ["outray-tunnel", "outray-tunnel$PRODUCT$outray"]}