Vulnerability in Akinloluwami Outray

CVE-2026-22820

Outray openSource ngrok alternative. Prior to 0.1.5, a TOCTOU race condition vulnerability allows a user to exceed the set number of active tunnels in their subscription plan. This vulnerability is fixed in 0.1.5.

Vulnerability class: TOCTOU (Time-of-Check to Time-of-Use)

EPSS: 0.001 (17.5th percentile) — read the EPSS interpretation.

Affected products

Akinloluwami Outray — versions < 0.1.5

Weakness classification (CWE)

CWE-367 — Time-of-check Time-of-use (TOCTOU) Race Condition

References

https://github.com/outray-tunnel/outray/security/advisories/GHSA-3pqc-836w-jgr7 (x_refsource_CONFIRM)
https://github.com/outray-tunnel/outray/commit/08c61495761349e7fd2965229c3faa8d7b1c1581 (x_refsource_MISC)