CVE-2026-22819 is a race condition vulnerability classified under CWE-366, found in the open-source project 'outray', an alternative to ngrok used for creating secure tunnels to localhost services. The vulnerability exists in versions prior to 0.1.5 within the subdomain allocation logic located in main/apps/web/src/routes/api/$orgSlug/subdomains/index.ts. Specifically, the issue arises from the lack of database transaction locking mechanisms when allocating subdomains to users on the free plan. This absence of locking allows a race condition where a user can simultaneously request multiple subdomains, bypassing intended limits and obtaining more subdomains than permitted. The vulnerability affects the integrity of the system by allowing unauthorized resource allocation and impacts availability by potentially exhausting subdomain resources. The CVSS v3.1 score is 5.9 (medium), with vector AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:H, indicating network attack vector, high attack complexity, low privileges required, no user interaction, unchanged scope, no confidentiality impact, limited integrity impact, and high availability impact. No known exploits have been reported in the wild. The issue was addressed in version 0.1.5 by introducing proper database transaction locks to serialize subdomain allocation requests, preventing concurrent race conditions.

For European organizations leveraging outray for secure tunneling or development environments, this vulnerability can lead to unauthorized allocation of subdomains beyond allowed quotas, potentially resulting in resource exhaustion and denial of service for legitimate users. While confidentiality is not directly impacted, the integrity of resource allocation is compromised, which could facilitate abuse scenarios such as evading usage limits or launching further attacks using excess subdomains. The availability of the service could be degraded if subdomain exhaustion occurs. Organizations relying on outray in production or development pipelines may face operational disruptions. Given the medium severity and the requirement for network access with low privileges, the threat is moderate but should not be ignored, especially in environments with multiple free plan users or public-facing services.

The primary mitigation is to upgrade all instances of outray to version 0.1.5 or later, where the race condition has been fixed with proper database transaction locking. Organizations should audit their deployments to identify any running vulnerable versions. Additionally, implementing rate limiting and concurrency controls at the API gateway or application level can reduce the risk of race conditions. Monitoring subdomain allocation patterns for anomalies can help detect abuse attempts. For deployments where upgrading is delayed, applying manual locking mechanisms or database-level transaction isolation can serve as temporary workarounds. Security teams should also review user privilege assignments to minimize exposure and consider restricting free plan usage or enforcing stricter quotas until patches are applied.