What is CVE-2026-22819?

### Summary This vulnerability allows a user i.e a free plan user to get more than the desired subdomains due to lack of db transaction lock mechanisms in `https://github.com/akinloluwami/outray/blob/main/apps/web/src/routes/api/%24orgSlug/subdomains/index.ts` ### Details - The affected code-: ```ts //Race condition const [subscription] = await db .select() .from(subscriptions) .where(eq(subscriptions.organizationId, organization.id)); const currentPlan = subscription?.plan || "free"; const planLimits = getPlanLimits(currentPlan as any); const subdomainLimit = planLimits.maxSubdomains; const existingSubdomains = await db .select() .from(subdomains) .where(eq(subdomains.organizationId, organization.id)); if (existingSubdomains.length >= subdomainLimit) { return json( { error: `Subdomain limit reached. The ${currentPlan} plan allows ${subdomainLimit} subdomain${subdomainLimit > 1 ? "s" : ""}.`, }, { status: 403 }, ); } const existing = await db .select() .from(subdomains) .where(eq(subdomains.subdomain, subdomain)) .limit(1); if (existing.length > 0) { return json({ error: "Subdomain already taken" }, { status: 409 }); } const [newSubdomain] = await db .insert(subdomains) .values({ id: crypto.randomUUID(), subdomain, organizationId: organization.id, userId: session.user.id, }) .returning(); ``` - The first part of the code checks the user plan and determine his/her existing_domains without locking the transaction and allowing it to run. ```ts const existingSubdomains = await db .select() .from(subdomains) .where(eq(subdomains.organizationId, organization.id)); ``` - The other part of the code checks if the desired domain is more than the limit. ```ts if (existingSubdomains.length >= subdomainLimit) { return json( { error: `Subdomain limit reached. The ${currentPlan} plan allows ${subdomainLimit} subdomain${subdomainLimit > 1 ? "s" : ""}.`, }, { status: 403 }, ); } ``` - Finally, it inserts the subdomain also after the whole check without locking transactions. ```ts const [newSubdomain] = await db .insert(subdomains) .values({ id: crypto.randomUUID(), subdomain, organizationId: organization.id, userId: session.user.id, }) .returning(); ``` - An attacker can exploit this by making parallel requests to the same endpoint and if the second request reads row `subdomains` before the `INSERT` statement of request one is made.It allows the attacker to act on a not yet updated row which bypasses the checks and allow the attacker to get more subdomains.For example-: ``` Parallel request 1 Parallel Request 2 | | checks for Checks the not yet updated available subdomain row and bypasses the logic checks and determines if it is more than limit | | Inserts subdomain and calls it a day Also inserts the subdomain ``` - The attack focuses on exploiting the race window between reading and writing the db rows. ### PoC - Intercept with Burp proxy,pass to `Repeater` and create multiple requests in a single batch with different subdomain names as seen below. Lastly, send the requests in `parallel`. - Result-: ### Impact The vulnerability provides an infiinite supply of domains to users bypassing the need for subscription

What is the severity of CVE-2026-22819?

CVE-2026-22819 has a CVSS v3 score of 3.1, which is classified as Low severity.

Is there an exploit available for CVE-2026-22819?

No known public exploits are currently available for CVE-2026-22819.

Is there a patch available for CVE-2026-22819?

Yes, patches are available for CVE-2026-22819. Check the vendor advisories for update instructions.

CVE-2026-22819 - CVE Details, Severity, and Analysis

Severity Scores

CVSS v33.1

CVSS v20.0

Priority Score94.0

EPSS Score0.0

Low

Exploitation LikelihoodMinimal

0.00%EPSS

Very low probability of exploitation

Monitor and patch as resources allow

0.00%

EPSS

3.1

CVSS

No

Exploit

Yes

Patch

Low Priority

no major risk factors

EPSS predicts the probability of exploitation in the next 30 days based on real-world threat data, complementing CVSS severity scores with actual risk assessment.

Description

Summary

This vulnerability allows a user i.e a free plan user to get more than the desired subdomains due to lack of db transaction lock mechanisms in https://github.com/akinloluwami/outray/blob/main/apps/web/src/routes/api/%24orgSlug/subdomains/index.ts

Details

The affected code-:

//Race condition
        const [subscription] = await db
          .select()
          .from(subscriptions)
          .where(eq(subscriptions.organizationId, organization.id));

        const currentPlan = subscription?.plan || "free";
        const planLimits = getPlanLimits(currentPlan as any);
        const subdomainLimit = planLimits.maxSubdomains;

        const existingSubdomains = await db
          .select()
          .from(subdomains)
          .where(eq(subdomains.organizationId, organization.id));

        if (existingSubdomains.length >= subdomainLimit) {
          return json(
            {
              error: `Subdomain limit reached. The ${currentPlan} plan allows ${subdomainLimit} subdomain${subdomainLimit > 1 ? "s" : ""}.`,
            },
            { status: 403 },
          );
        }

        const existing = await db
          .select()
          .from(subdomains)
          .where(eq(subdomains.subdomain, subdomain))
          .limit(1);

        if (existing.length > 0) {
          return json({ error: "Subdomain already taken" }, { status: 409 });
        }

        const [newSubdomain] = await db
          .insert(subdomains)
          .values({
            id: crypto.randomUUID(),
            subdomain,
            organizationId: organization.id,
            userId: session.user.id,
          })
          .returning();

The first part of the code checks the user plan and determine his/her existing_domains without locking the transaction and allowing it to run.

const existingSubdomains = await db
          .select()
          .from(subdomains)
          .where(eq(subdomains.organizationId, organization.id));

The other part of the code checks if the desired domain is more than the limit.

if (existingSubdomains.length >= subdomainLimit) {
          return json(
            {
              error: `Subdomain limit reached. The ${currentPlan} plan allows ${subdomainLimit} subdomain${subdomainLimit > 1 ? "s" : ""}.`,
            },
            { status: 403 },
          );
        }

CVSS v3 Breakdown

Attack Vector:Network

Attack Complexity:High

Privileges Required:Local

User Interaction:Network

Scope:Unchanged

Confidentiality:Network

Integrity:Local

Availability:Network

Patch References

Github.com Github.com Security [email protected]