CVE-2026-22820

Name of the Vulnerable Software and Affected Versions Outray versions prior to 0.1.5

Description A TOCTOU (Time-of-Check-to-Time-of-Use) race condition exists that allows a user to exceed the set number of active tunnels in their subscription plan. The issue is related to the handling of tunnel registration requests and the concurrent access to the database and Redis. Specifically, the /tunnel/register API endpoint in apps/web/src/routes/api/tunnel/register.ts is vulnerable. The code checks the number of active tunnels in Redis (activeCount) and compares it to the allowed limit (tunnelLimit). However, between the time the check is performed and the new tunnel is inserted into the database, another request can bypass the limit check and create a new tunnel. This is due to the lack of locking mechanisms during database transactions. The vulnerability can be exploited by sending multiple concurrent requests to register tunnels, potentially allowing a user to create more tunnels than their subscription allows. A proof of concept (PoC) demonstrates this by running multiple outray instances simultaneously, successfully creating more tunnels than permitted.

Recommendations Versions prior to 0.1.5 should be updated to version 0.1.5 or later.