CVE-2026-22819

Outray has a Race Condition in main/apps/web/src/routes/api/$orgSlug/subdomains/index.ts

Description

Outray openSource ngrok alternative. Prior to 0.1.5, this vulnerability allows a user i.e a free plan user to get more than the desired subdomains due to lack of db transaction lock mechanisms in main/apps/web/src/routes/api/$orgSlug/subdomains/index.ts. This vulnerability is fixed in 0.1.5.

INFO

Published Date :

2026-01-14T18:04:33.426Z

Last Modified :

2026-01-14T21:13:36.389Z

Source :

GitHub_M

AFFECTED PRODUCTS

The following products are affected by CVE-2026-22819 vulnerability.

Vendors	Products
Outray	Outray
Outray-tunnel	Outray

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-22819.

URL	Resource
https://github.com/outray-tunnel/outray/commit/73e8a09575754fb4c395438680454b2ec064d1d6
https://github.com/outray-tunnel/outray/security/advisories/GHSA-45hj-9x76-wp9g

CVSS Vulnerability Scoring System

V3.1

Detailed values of each vector for above chart.

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality Impact

Integrity Impact

Availability Impact