CVE-2026-22819 MEDIUM

CVE-2026-22819: Outray has a Race Condition in main/apps/web/src/routes/api/$orgSlug/subdomains/index.ts

Vendor Akinloluwami
Product outray
Weakness CWE-366
Published January 14, 2026
Last update January 14, 2026

CVSS base score

5.9/10
Attack vector Network
Attack complexity High
Privileges required Low
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:H

What the vulnerability does

01Description

Outray openSource ngrok alternative. Prior to 0.1.5, this vulnerability allows a user i.e a free plan user to get more than the desired subdomains due to lack of db transaction lock mechanisms in main/apps/web/src/routes/api/$orgSlug/subdomains/index.ts. This vulnerability is fixed in 0.1.5.

Key dates

02Disclosure timeline

January 14, 2026 CVE published
January 14, 2026 Record updated