CVE-2026-22819 – Outray versions before 0.1.5 contain a race con... (How to Fix)

Q: What is the severity of CVE-2026-22819?

CVE-2026-22819 has a CVSS score of 5.9 (MEDIUM). Outray versions before 0.1.5 contain a race condition vulnerability where free plan users can bypass subdomain limits due to missing database transaction locks. This allows unauthorized acquisition of additional subdomains beyond their allocated quota. Only Outray instances with free plan users are affected.

📋 TL;DR

Outray versions before 0.1.5 contain a race condition vulnerability where free plan users can bypass subdomain limits due to missing database transaction locks. This allows unauthorized acquisition of additional subdomains beyond their allocated quota. Only Outray instances with free plan users are affected.

💻 Affected Systems

Products:

Outray

Versions: All versions before 0.1.5

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects instances with free tier users enabled.

📦 What is this software?

Outray by Outray

View all CVEs affecting Outray →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Free users could exhaust all available subdomains, causing denial of service for legitimate users and potentially enabling phishing attacks through unauthorized subdomain acquisition.

🟠

Likely Case

Free users gradually acquire more subdomains than allowed, leading to resource exhaustion and service degradation over time.

🟢

If Mitigated

With proper rate limiting and monitoring, impact is limited to minor resource consumption anomalies.

🌐 Internet-Facing: HIGH

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Requires authenticated free user account. Simple race condition exploitation via concurrent requests.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.1.5

Vendor Advisory: https://github.com/outray-tunnel/outray/security/advisories/GHSA-45hj-9x76-wp9g

Restart Required: Yes

Instructions:

1. Update Outray to version 0.1.5 or later. 2. Restart the Outray service. 3. Verify the fix by checking the version.

🔧 Temporary Workarounds

Disable free tier

all

Temporarily disable free user registrations to prevent exploitation

Modify configuration to disable free tier signups

Rate limiting

all

Implement strict rate limiting on subdomain creation endpoints

Configure rate limiting middleware for /api/*/subdomains endpoints

🧯 If You Can't Patch

Implement application-level locking mechanisms for subdomain creation
Monitor subdomain creation logs for suspicious patterns and alert on anomalies

🔍 How to Verify

Check if Vulnerable:

Check if Outray version is below 0.1.5 and free tier is enabled

Check Version:

outray --version or check package.json version

Verify Fix Applied:

Confirm version is 0.1.5 or higher and test subdomain creation limits

📡 Detection & Monitoring

Log Indicators:

Multiple subdomain creation requests from same free user in short timeframe
Subdomain count exceeding free tier limits

Network Indicators:

Bursts of POST requests to /api/*/subdomains endpoints

SIEM Query:

source="outray" AND (path="/api/*/subdomains" AND method="POST") | stats count by user_id | where count > threshold

📊 Metadata

CVE ID: CVE-2026-22819

CVSS v3 Score: 5.9 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:H

CWE: CWE-366

EPSS Score: 0.03% exploit probability (8.6th percentile)

Published: January 14, 2026

Last Updated: January 20, 2026

🔗 References

https://github.com/outray-tunnel/outray/commit/73e8a09575754fb4c395438680454b2ec064d1d6 Patch
https://github.com/outray-tunnel/outray/security/advisories/GHSA-45hj-9x76-wp9g Exploit,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-22819, you might also want to check these: