When Milliseconds Matter: Critical Race Conditions in Outray Allow Silent Privilege Takeover

Aegiron 9 mins0

Product Overview

Outray is a reverse-tunneling platform similar to ngrok, designed to expose local or internal services to the public internet using secure, encrypted tunnels. It is commonly used for:

  • Development and testing
  • Webhook reception
  • Temporary access to internal dashboards
  • CI/CD pipeline integrations
  • Remote troubleshooting

Outray operates using a control plane (authentication, authorization, tunnel lifecycle) and a data plane (actual traffic forwarding).
The vulnerabilities discussed here exist in the control plane, but their impact directly affects live tunnel traffic.

Vulnerability Summary

In 2026, two severe race-condition vulnerabilities were discovered in Outray’s tunnel session handling and control API logic. Both issues allow privilege abuse without exploiting memory corruption, authentication bypass, or malformed requests.

The flaws arise from non-atomic authorization logic under concurrent execution, allowing attackers to briefly gain elevated privileges and perform restricted actions.

CVE Basic Information

CVE NameCVE IDCVSS v3.1SeverityExploitabilityExploit Availability
Outray Tunnel Session RaceCVE-2026-228198.8HighHighPublic PoC (educational)
Outray Control Plane RaceCVE-2026-228209.6CriticalVery HighEasily reproducible

Affected Components

  • Tunnel session initialization and resume logic
  • Control plane role validation and execution flow
  • Tunnel ownership assignment
  • Administrative API endpoints

Root Cause Analysis

Core Issue

Outray processed authorization checks and privileged actions in parallel execution paths without enforcing strict ordering or locking.

In high-concurrency scenarios:

  • Privileges were validated before the system reached a stable state
  • Cleanup or downgrade operations ran after privileged actions executed
  • Shared objects (tunnel sessions, role contexts) were reused unsafely

This resulted in time-of-check vs time-of-use (TOCTOU) failures.

CVE-2026-22819 – Tunnel Session Race Condition

What Went Wrong

Tunnel creation and resume requests were handled concurrently without locking the tunnel session object. Under rapid reconnect conditions, a low-privilege user could inherit a partially initialized tunnel belonging to another context.

Impact

  • Tunnel ownership confusion
  • Unauthorized access to exposed internal services
  • Traffic interception or redirection

Why This Is Dangerous

Tunnels often expose:

  • Internal admin panels
  • Webhooks containing secrets
  • Non-internet-facing services

Compromising a tunnel is equivalent to compromising whatever it exposes.

CVE-2026-22820 – Control Plane Privilege Escalation

What Went Wrong

Role validation and privileged action execution were not serialized. A user could trigger a temporary elevated role and execute admin-only actions before cleanup completed.

Impact

  • Execution of admin-only API calls
  • Configuration export
  • Tunnel reassignment
  • Key or token manipulation

This vulnerability is critical because even a single successful request is enough to cause lasting damage.

Exploitation Overview

The following is provided strictly for defensive understanding.

General Attack Pattern

  1. Attacker uses a legitimate low-privilege account
  2. Sends multiple concurrent API requests
  3. Exploits timing gaps between validation and execution
  4. Gains unintended elevated privileges
  5. Performs sensitive actions

No malformed input, malware, or user interaction is required.

Proof of Concept Status

  • CVE-2026-22819: Publicly demonstrated PoC using rapid tunnel reconnect storms
  • CVE-2026-22820: No official exploit kit, but trivial to reproduce using parallel HTTP requests

All PoCs are considered educational and defensive in nature.

Why Traditional Security Tools Miss This

  • Requests are valid
  • Credentials are legitimate
  • No exploit payloads
  • No crashes or errors
  • Abuse happens in milliseconds

This is logic abuse, not signature-based exploitation.

Indicators of Compromise (IOCs)

High-Confidence Behavioral IOCs

  • Tunnel ownership changes without approval
  • Admin actions immediately after login
  • Privilege changes lasting less than one second
  • Multiple control-plane requests within milliseconds
  • Reconnect storms outside normal usage patterns

Detection Strategy

Required Log Sources

To detect these vulnerabilities, log visibility is essential:

  • Control plane API logs
  • Tunnel lifecycle logs
  • Authentication and role-change logs
  • Reverse proxy / API gateway logs
  • Application thread or worker logs

Logs should include millisecond timestamps.

SIEM-Ready Detection Rules

Rule 1 – Tunnel Reconnect Storm with Privilege Drift

IF same.user_id OR same.api_token
   initiates >10 tunnel_init or tunnel_resume
   within 1 second
AND tunnel_owner or privilege_level changes
THEN alert "Possible Tunnel Session Race Exploitation"

Rule 2 – Privileged Action Without Stable Role

IF admin_action executed
AND user_role NOT admin
AND role_change_event within 500ms
THEN alert "Control Plane Privilege Race Abuse"

Rule 3 – Impossible Privilege Duration

IF role_duration < 1 second
AND privileged_action executed
THEN critical alert

Rule 4 – Parallel Control API Abuse

IF same.api_token
   sends >5 control_plane requests
   within 100ms
THEN flag for investigation

Rule 5 – Tunnel Privilege Drift

IF tunnel_id unchanged
AND privilege increases
AND no admin approval
THEN alert

Rule 6 – Concurrent Role Context Collision

IF overlapping role_contexts
FOR same user_id
THEN alert

Rule 7 – Token Reuse Under Parallel Execution

IF same token used by >3 threads
within 200ms
THEN flag automation-based abuse

MITRE ATT&CK Mapping

  • TA0004 – Privilege Escalation
    • T1068 Exploitation for Privilege Escalation
  • TA0001 – Initial Access
    • T1190 Exploit Public-Facing Application
  • TA0006 – Credential Access
    • T1552 Unsecured Credentials (via config exposure)

Incident Response Guidance

If exploitation is suspected:

  1. Disable affected tokens
  2. Force logout all sessions
  3. Rotate tunnel secrets
  4. Audit tunnel ownership history
  5. Review configuration exports
  6. Patch before re-enabling tunnels

Long-Term Security Lessons

  • Authorization must be atomic
  • Temporary privilege is still privilege
  • High-performance systems need security-aware concurrency
  • Timing issues are security issues

Patch & Remediation

Outray addressed both vulnerabilities in 2026 by:

  • Enforcing strict locking on tunnel objects
  • Serializing role validation and execution
  • Adding post-authorization checks

Official Patch / Upgrade Advisory:
👉 https://outray.io/security/advisories

Final Takeaway

CVE-2026-22819 and CVE-2026-22820 demonstrate how milliseconds can undermine security.

No malware.
No broken authentication.
No noisy exploit.

Just valid requests executed at the wrong time.

Any organization using Outray — even for temporary or non-production access — should treat these vulnerabilities as high-impact security events and ensure systems are fully patched, monitored, and audited.

Aegiron

Backed by 11+ years in cybersecurity and incident response, we decode the latest threats shaping today’s digital battlefield. This blog cuts through the noise with clear insights on vulnerabilities, emerging exploits, and the cyber news defenders can’t afford to miss.