CVE-2026-22820

LOW

Outray < 0.1.5 - TOCTOU Race Condition

Title source: rule

Description

Outray openSource ngrok alternative. Prior to 0.1.5, a TOCTOU race condition vulnerability allows a user to exceed the set number of active tunnels in their subscription plan. This vulnerability is fixed in 0.1.5.

References (2)

[Exploit, Vendor Advisory] https://github.com/outray-tunnel/outray/security/advisories/GHSA-3pqc-836w-jgr7

[Patch] https://github.com/outray-tunnel/outray/commit/08c61495761349e7fd2965229c3faa8d7b1c1581

View Patch ZIP pw:eip

Scores

CVSS v3 3.7

EPSS 0.0004

EPSS Percentile 13.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-367

Status published

Products (2)

npm/outray 0 - 0.1.5npm

outray/outray < 0.1.5

Published Jan 14, 2026

Tracked Since Feb 18, 2026