CVE-2026-22820 identifies a time-of-check to time-of-use (TOCTOU) race condition vulnerability in the open-source tool 'outray', an alternative to ngrok used for creating secure tunnels. The vulnerability exists in versions prior to 0.1.5 and allows an attacker to circumvent subscription plan limits by creating more active tunnels than permitted. This occurs because the software checks the number of active tunnels (time-of-check) but does not properly synchronize or lock this state before allowing tunnel creation (time-of-use), enabling a race condition where multiple tunnel creation requests can bypass the limit. The flaw requires no authentication or user interaction and can be exploited remotely, increasing its risk profile. The CVSS 4.0 score is 6.3 (medium), reflecting network attack vector, high attack complexity, and limited impact on integrity. Although no known exploits are reported, the vulnerability undermines subscription enforcement and could lead to resource overuse or denial of service to legitimate users. The issue was resolved in outray version 0.1.5 by implementing appropriate synchronization mechanisms to prevent concurrent tunnel creation beyond allowed limits.

For European organizations, this vulnerability could lead to unauthorized overuse of tunneling resources, potentially causing service degradation or denial of service for legitimate users relying on outray for remote access or secure connectivity. While it does not directly expose sensitive data or allow code execution, the ability to exceed subscription limits may result in increased operational costs or resource exhaustion. Organizations using outray in multi-tenant or shared environments might face abuse from malicious actors exploiting this flaw to monopolize tunnel capacity. This could disrupt business continuity, especially for companies dependent on secure remote access for distributed teams or cloud services. Additionally, the circumvention of subscription controls could impact vendor trust and compliance with software usage policies. Given the growing reliance on remote access tools in Europe, especially post-pandemic, the vulnerability poses a moderate operational risk.

The primary mitigation is to upgrade all instances of outray to version 0.1.5 or later, where the TOCTOU race condition has been fixed. Organizations should audit their current deployments to identify any running versions below 0.1.5 and prioritize patching. Implement monitoring and alerting on tunnel creation rates and active tunnel counts to detect anomalous behavior indicative of exploitation attempts. Consider rate limiting tunnel creation requests at the network or application layer to reduce race condition exploitation windows. For environments where immediate upgrade is not feasible, deploying additional synchronization or locking mechanisms externally (e.g., via orchestration scripts or middleware) can help mitigate risk. Finally, review subscription enforcement policies and usage logs regularly to identify and respond to potential abuse.