CVE-2026-22819

Name of the Vulnerable Software and Affected Versions Outray versions prior to 0.1.5

Description A flaw exists in Outray that allows a user, even those on a free plan, to obtain more subdomains than permitted due to missing database transaction locks. Specifically, the issue resides in the API endpoint /api/$orgSlug/subdomains/index.ts. The code checks the user's plan and existing subdomains without proper transaction locking, creating a race condition. An attacker can exploit this by sending parallel requests to the endpoint. If a second request reads the subdomains table before the first request's INSERT statement completes, it can bypass the subdomain limit check and successfully create additional subdomains. The attack exploits the time window between reading and writing database rows. A proof of concept demonstrates the ability to create multiple subdomains in parallel using a tool like Burp Suite, exceeding the allowed limit.

Recommendations Versions prior to 0.1.5 should be updated to version 0.1.5 or later.