Login Sign Up

CVE-2026-22820

3.7 LOW

📋 TL;DR

A TOCTOU race condition vulnerability in Outray (an open-source ngrok alternative) allows authenticated users to bypass subscription limits and create more active tunnels than their plan permits. This affects all Outray users with subscription plans prior to version 0.1.5. The vulnerability requires user authentication but doesn't require administrative privileges.

💻 Affected Systems

Products:
  • Outray
Versions: All versions prior to 0.1.5
Operating Systems: All platforms running Outray
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects deployments with subscription plans enabled. Free/unlimited deployments are not vulnerable.

📦 What is this software?

Outray by Outray

View all CVEs affecting Outray →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Users could create unlimited tunnels beyond their paid subscription limits, potentially causing resource exhaustion, service degradation, or financial impact to the service provider.

🟠

Likely Case

Users exceeding their tunnel limits, causing minor resource consumption increases and potential billing discrepancies.

🟢

If Mitigated

Proper rate limiting and subscription enforcement prevents any tunnel limit bypass.

🌐 Internet-Facing: MEDIUM - The vulnerability requires authenticated access but affects the core tunnel management functionality.
🏢 Internal Only: MEDIUM - Same risk applies internally as it's a subscription enforcement bypass.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires race condition timing and authenticated user access. No public exploits have been reported.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.1.5

Vendor Advisory: https://github.com/outray-tunnel/outray/security/advisories/GHSA-3pqc-836w-jgr7

Restart Required: Yes

Instructions:

1. Stop Outray service. 2. Update to version 0.1.5 via package manager or manual installation. 3. Restart Outray service. 4. Verify version with 'outray --version'.

🔧 Temporary Workarounds

Rate Limiting

all

Implement external rate limiting on tunnel creation requests

# Use nginx or similar proxy with rate limiting
limit_req_zone $binary_remote_addr zone=tunnel:10m rate=1r/s;
limit_req zone=tunnel burst=5 nodelay;

🧯 If You Can't Patch

  • Implement strict monitoring on tunnel creation rates per user
  • Enforce subscription limits at the load balancer or proxy level

🔍 How to Verify

Check if Vulnerable:

Check if running Outray version < 0.1.5 with 'outray --version'

Check Version:

outray --version

Verify Fix Applied:

Confirm version is 0.1.5 or higher and test tunnel creation respects subscription limits

📡 Detection & Monitoring

Log Indicators:

  • Multiple tunnel creation requests from same user in rapid succession
  • User exceeding documented tunnel limits

Network Indicators:

  • Unusual spike in tunnel establishment traffic
  • Multiple simultaneous tunnel connections from single user

SIEM Query:

source="outray.log" AND "tunnel created" | stats count by user | where count > subscription_limit

📊 Metadata

CVE ID: CVE-2026-22820
CVSS v3 Score: 3.7 (LOW)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
CWE: CWE-367
EPSS Score: 0.03% exploit probability (9.6th percentile)
Published: January 14, 2026
Last Updated: January 20, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-22820, you might also want to check these:

CVE-2026-25641 10.0

CVE-2026-25641 is a sandbox escape vulnerability in SandboxJS library versions before 0.8.29. Attack...

Same vulnerability type (CWE-367)
CVE-2025-64180 10.0

A critical TOCTOU vulnerability in Manager accounting software allows attackers to bypass DNS valida...

Same vulnerability type (CWE-367)
CVE-2025-13032 9.9

A double fetch vulnerability in the sandbox kernel driver of Avast/AVG Antivirus on Windows allows l...

Same vulnerability type (CWE-367)