Description
Outray openSource ngrok alternative. Prior to 0.1.5, this vulnerability allows a user i.e a free plan user to get more than the desired subdomains due to lack of db transaction lock mechanisms in main/apps/web/src/routes/api/$orgSlug/subdomains/index.ts. This vulnerability is fixed in 0.1.5.
Published: 2026-01-14
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized subdomain allocation
Action: Patch
AI Analysis

Impact

The race condition in Outray's subdomain creation endpoint allows a free plan user to create more subdomains than the service limits permit. By sending concurrent requests, the application’s missing database transaction locks enable duplicate allocations, leading to unauthorized subdomain provisioning. The exploit does not expose sensitive data but permits users to exceed quota, which can be used for resource abuse or to create misleading or malicious subdomains.

Affected Systems

Outray, an open‑source ngrok alternative maintained by akinloluwami, is affected in all releases prior to version 0.1.5. The vulnerability was fixed in 0.1.5, so any deployment running an earlier version is vulnerable. The affected component is the subdomain creation route located at main/apps/web/src/routes/api/$orgSlug/subdomains/index.ts.

Risk and Exploitability

The CVSS score of 5.9 indicates moderate severity, while the EPSS score of less than 1% shows that exploitation is currently unlikely. Because the flaw is triggered by concurrent web API calls from an authenticated free‑plan account, the attack vector is local to the application but requires legitimate user access. The vulnerability is not listed in CISA’s KEV catalogue, suggesting no known supply‑chain exploitation but still warrants prompt containment.

Generated by OpenCVE AI on April 18, 2026 at 06:16 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Outray to version 0.1.5 or newer to apply the race‑condition fix
  • Verify that database transaction locks are enabled for the subdomain creation endpoint to prevent concurrent allocations
  • Monitor subdomain creation logs for anomalous spikes and enforce quota limits automatically for accounts that exceed the stated allowance

Generated by OpenCVE AI on April 18, 2026 at 06:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-45hj-9x76-wp9g Outray has a Race Condition in the cli's webapp
History

Tue, 20 Jan 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Outray
Outray outray
CPEs cpe:2.3:a:outray:outray:*:*:*:*:*:node.js:*:*
Vendors & Products Outray
Outray outray

Thu, 15 Jan 2026 08:15:00 +0000

Type Values Removed Values Added
First Time appeared Outray-tunnel
Outray-tunnel outray
Vendors & Products Outray-tunnel
Outray-tunnel outray

Wed, 14 Jan 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 14 Jan 2026 18:15:00 +0000

Type Values Removed Values Added
Description Outray openSource ngrok alternative. Prior to 0.1.5, this vulnerability allows a user i.e a free plan user to get more than the desired subdomains due to lack of db transaction lock mechanisms in main/apps/web/src/routes/api/$orgSlug/subdomains/index.ts. This vulnerability is fixed in 0.1.5.
Title Outray has a Race Condition in main/apps/web/src/routes/api/$orgSlug/subdomains/index.ts
Weaknesses CWE-366
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:H'}

Subscriptions

Outray Outray
Outray-tunnel Outray
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-14T21:13:36.389Z

Reserved: 2026-01-09T22:50:10.289Z

Link: CVE-2026-22819

cve-icon Vulnrichment

Updated: 2026-01-14T21:13:33.628Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-14T18:16:42.330

Modified: 2026-01-20T14:56:26.523

Link: CVE-2026-22819

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T06:30:25Z

Weaknesses