CVE-2026-22819 is a race condition vulnerability classified under CWE-366 found in Outray, an open-source alternative to ngrok used for creating secure tunnels to localhost services. The vulnerability exists in versions prior to 0.1.5 within the subdomain allocation endpoint located at main/apps/web/src/routes/api/$orgSlug/subdomains/index.ts. Specifically, the lack of database transaction locking mechanisms allows concurrent requests from a user on a free plan to bypass intended subdomain allocation limits. This race condition can be exploited by sending multiple simultaneous requests to the subdomain API, resulting in the user obtaining more subdomains than permitted. The flaw impacts the integrity of the system by enabling unauthorized resource allocation but does not expose confidential data. The vulnerability requires network access and low privileges (a free plan user) but does not require user interaction. The CVSS v3.1 score is 5.9 (medium), reflecting the moderate impact on integrity and high impact on availability due to potential resource exhaustion or service disruption. The issue was resolved in Outray version 0.1.5 by introducing proper database transaction locks to serialize subdomain allocation requests and prevent concurrent exploitation. No public exploits have been reported to date.

For European organizations using Outray versions prior to 0.1.5, this vulnerability can lead to unauthorized allocation of subdomains beyond the intended limits for free plan users. This can result in resource abuse, potentially degrading service availability for legitimate users and increasing operational costs if subdomain resources are limited or metered. While confidentiality is not directly impacted, the integrity of resource allocation is compromised, which could undermine trust in the service. Organizations relying on Outray for secure tunneling in development, testing, or production environments may experience disruptions or reduced service quality. Additionally, attackers could leverage the excess subdomains to facilitate further malicious activities such as phishing or evasion of network controls. The absence of known exploits reduces immediate risk, but the vulnerability remains a concern until patched. European entities with strict compliance requirements should also consider the risk of service availability issues affecting regulatory obligations.

The primary mitigation is to upgrade Outray to version 0.1.5 or later, where the vulnerability is fixed by implementing proper database transaction locking. Organizations should audit their Outray deployments to identify affected versions and apply the update promptly. Additionally, implementing rate limiting and concurrency controls on the subdomain allocation API can reduce the risk of exploitation. Monitoring for unusual patterns of subdomain requests from free plan users can help detect attempted abuse. For environments where immediate upgrade is not feasible, deploying a web application firewall (WAF) with custom rules to limit concurrent requests to the vulnerable endpoint may provide temporary protection. Finally, organizations should review their subscription and resource allocation policies to ensure that abuse of free-tier resources is minimized and consider restricting free plan capabilities if necessary.