CVE-2026-31827
HIGHAlienbin <= 1.0.0 - Unauthenticated Denial of Service via TTL Index Race Condition
Title source: llmDescription
Alienbin is an anonymous code and text sharing web service. In 1.0.0 and earlier, the /save endpoint in server.js drops and recreates the MongoDB TTL index on the entire post collection for every new paste submission. When User B submits a paste with a short TTL (e.g., 30 seconds), the TTL index is recreated with expireAfterSeconds: 30 for all documents in the collection. This causes User A's paste (originally set to 7 days) to be deleted after 30 seconds. An attacker can intentionally delete all existing pastes by repeatedly submitting pastes with ttlOption=30s.
References (1)
Core 1
Core References
Vendor Advisory x_refsource_confirm
https://github.com/Blue-B/Alienbin/security/advisories/GHSA-hqvr-6v89-gwff
Scores
CVSS v4
7.1
EPSS
0.0018
EPSS Percentile
7.7%
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-362
Status
published
Products (1)
Blue-B/Alienbin
<= 1.0.0
Published
Mar 10, 2026
Tracked Since
Mar 11, 2026