CVE-2026-22819 Overview
CVE-2026-22819 is a race condition vulnerability in Outray, an open-source ngrok alternative. Prior to version 0.1.5, the application lacks proper database transaction lock mechanisms in the subdomain allocation endpoint (main/apps/web/src/routes/api/$orgSlug/subdomains/index.ts), allowing users on free plans to acquire more subdomains than their plan permits.
Critical Impact
Users can bypass subscription tier limitations by exploiting a race condition during subdomain creation, potentially leading to resource abuse and service quota violations.
Affected Products
- Outray versions prior to 0.1.5
- Node.js deployments of Outray
- Self-hosted Outray instances without the security patch
Discovery Timeline
- 2026-01-14 - CVE CVE-2026-22819 published to NVD
- 2026-01-20 - Last updated in NVD database
Technical Details for CVE-2026-22819
Vulnerability Analysis
This vulnerability is classified as CWE-366 (Race Condition Within a Thread), affecting the subdomain creation workflow in Outray's web application. The flaw exists in the API endpoint responsible for subdomain allocation, where concurrent requests can bypass plan-based subdomain limits due to insufficient database locking.
When a user submits multiple simultaneous subdomain creation requests, the application's original implementation counted existing subdomains without proper row-level locking. This allowed phantom reads where multiple concurrent transactions could each see the same subdomain count before any of them completed their inserts, effectively allowing more subdomains than the plan permits.
The vulnerability requires authenticated access (a valid user account) and network access to the API endpoint. While the complexity of exploitation is considered high due to the timing requirements of race conditions, the impact is limited to integrity concerns—specifically, the ability to exceed plan quotas without authorization.
Root Cause
The root cause stems from inadequate database transaction isolation in the subdomain counting logic. The original implementation performed a SELECT COUNT(*) query without acquiring row-level locks, creating a Time-of-Check Time-of-Use (TOCTOU) condition where the count could become stale before the subsequent insert operation completed.
Attack Vector
An attacker with a valid free-tier account can exploit this vulnerability by sending multiple concurrent HTTP requests to the subdomain creation endpoint. By timing these requests to arrive nearly simultaneously, the attacker can cause multiple transactions to read the same subdomain count before any transaction commits its new subdomain record. This results in all concurrent requests passing the plan limit check and successfully creating subdomains, even when the combined total would exceed the user's plan allocation.
const planLimits = getPlanLimits(currentPlan as any);
const subdomainLimit = planLimits.maxSubdomains;
- // Count existing subdomains with a locked read to prevent phantom reads
- const [countResult] = await tx
- .select({ count: sql<number>`count(*)::int` })
+ // Count existing subdomains - lock the rows to prevent race conditions
+ const existingSubdomains = await tx
+ .select({ id: subdomains.id })
.from(subdomains)
.where(eq(subdomains.organizationId, organization.id))
.for("update");
- const existingCount = countResult?.count ?? 0;
+ const existingCount = existingSubdomains.length;
if (subdomainLimit !== -1 && existingCount >= subdomainLimit) {
return {
Source: GitHub Commit Changes
Detection Methods for CVE-2026-22819
Indicators of Compromise
- Users with subdomain counts exceeding their plan tier limits
- Burst patterns of subdomain creation requests from the same user within milliseconds
- Database records showing multiple subdomains created at nearly identical timestamps for a single organization
Detection Strategies
- Implement logging and alerting on subdomain creation API endpoints to identify rapid concurrent requests
- Create database audit queries to identify organizations with subdomain counts exceeding plan limits
- Monitor API request patterns for burst traffic to /api/$orgSlug/subdomains endpoints
Monitoring Recommendations
- Set up rate limiting alerts on subdomain creation endpoints
- Implement periodic reconciliation checks between plan limits and actual subdomain counts
- Deploy application performance monitoring (APM) to track concurrent transaction patterns on critical endpoints
How to Mitigate CVE-2026-22819
Immediate Actions Required
- Upgrade Outray to version 0.1.5 or later immediately
- Audit existing subdomain allocations to identify accounts that may have exploited this vulnerability
- Implement API rate limiting on subdomain creation endpoints as a defense-in-depth measure
Patch Information
The vulnerability has been addressed in Outray version 0.1.5. The fix modifies the subdomain counting mechanism to use row-level locking via a SELECT ... FOR UPDATE query pattern. This ensures that concurrent transactions properly serialize when checking and incrementing subdomain counts, preventing race conditions. The patch commit 73e8a09 is available on the Outray GitHub repository. For additional details, see the GitHub Security Advisory GHSA-45hj-9x76-wp9g.
Workarounds
- Implement API gateway rate limiting to restrict concurrent requests to subdomain creation endpoints
- Add application-level mutex or semaphore controls around subdomain creation logic
- Deploy a scheduled job to identify and revoke excess subdomains from accounts exceeding plan limits
# Configuration example - Rate limiting with nginx (temporary mitigation)
location /api/*/subdomains {
limit_req zone=subdomain_limit burst=2 nodelay;
limit_req_zone $binary_remote_addr zone=subdomain_limit:10m rate=1r/s;
proxy_pass http://outray_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
