CVE-2026-22819: Outray has a Race Condition in the cli's webapp

January 13, 2026 (updated January 14, 2026)

This vulnerability allows a user i.e a free plan user to get more than the desired subdomains due to lack of db transaction lock mechanisms in https://github.com/akinloluwami/outray/blob/main/apps/web/src/routes/api/%24orgSlug/subdomains/index.ts

References

github.com/advisories/GHSA-45hj-9x76-wp9g
github.com/akinloluwami/outray
github.com/akinloluwami/outray/security/advisories/GHSA-45hj-9x76-wp9g
github.com/outray-tunnel/outray/commit/08c61495761349e7fd2965229c3faa8d7b1c1581
github.com/outray-tunnel/outray/commit/73e8a09575754fb4c395438680454b2ec064d1d6
github.com/outray-tunnel/outray/security/advisories/GHSA-45hj-9x76-wp9g
nvd.nist.gov/vuln/detail/CVE-2026-22819

Code Behaviors & Features

Detect and mitigate CVE-2026-22819 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →