Description
Alienbin is an anonymous code and text sharing web service. In 1.0.0 and earlier, the /save endpoint in server.js drops and recreates the MongoDB TTL index on the entire post collection for every new paste submission. When User B submits a paste with a short TTL (e.g., 30 seconds), the TTL index is recreated with expireAfterSeconds: 30 for all documents in the collection. This causes User A's paste (originally set to 7 days) to be deleted after 30 seconds. An attacker can intentionally delete all existing pastes by repeatedly submitting pastes with ttlOption=30s.
Published: 2026-03-10
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized deletion of other users' data
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is a TTL index race condition in the /save endpoint of Alienbin. Each paste submission drops and recreates the MongoDB TTL index for the entire post collection with the TTL specified by the submitter. This concurrency flaw allows an attacker to submit pastes with a short TTL, which causes the index to apply that short expiration to all documents, deleting other users' pastes prematurely. The flaw manifests as a data loss event with no remote code execution or privilege escalation. The weakness is identified as CWE‑362, a race condition.

Affected Systems

The affected product is Alienbin from Blue‑B, version 1.0.0 and all earlier releases that use the /save endpoint which recreates the TTL index on every request.

Risk and Exploitability

The CVSS score is 7.1, indicating a high severity of unauthorized data deletion. The EPSS score is less than 1 %, implying the probability of exploitation is low, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector involves sending HTTP POST requests to the /save endpoint with a ttlOption of 30 seconds or similar, and repeating this action to delete all pastes. Because the TTL index is recreated globally, any concurrent writes or reads in the database can be affected, making the exploit straightforward for users with network access to the service.

Generated by OpenCVE AI on April 16, 2026 at 03:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest Alienbin release in which the collection TTL index is created only once and does not override user‑specified TTLs.
  • If an upgrade is not immediately possible, modify the server code to store a per‑document TTL value instead of recreating a collection‑wide TTL index on each request.
  • Validate or restrict ttlOption values so that values below a safe threshold (e.g., 1 hour) are rejected or capped, preventing maliciously short expirations.

Generated by OpenCVE AI on April 16, 2026 at 03:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 11 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 11 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Blue-b
Blue-b alienbin
Vendors & Products Blue-b
Blue-b alienbin

Tue, 10 Mar 2026 22:00:00 +0000

Type Values Removed Values Added
Description Alienbin is an anonymous code and text sharing web service. In 1.0.0 and earlier, the /save endpoint in server.js drops and recreates the MongoDB TTL index on the entire post collection for every new paste submission. When User B submits a paste with a short TTL (e.g., 30 seconds), the TTL index is recreated with expireAfterSeconds: 30 for all documents in the collection. This causes User A's paste (originally set to 7 days) to be deleted after 30 seconds. An attacker can intentionally delete all existing pastes by repeatedly submitting pastes with ttlOption=30s.
Title Alienbin: TTL Index Race Condition allows unauthorized deletion of other users data
Weaknesses CWE-362
References
Metrics cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Blue-b Alienbin
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-11T15:59:20.745Z

Reserved: 2026-03-09T17:41:56.077Z

Link: CVE-2026-31827

cve-icon Vulnrichment

Updated: 2026-03-11T15:51:54.061Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-10T22:16:20.633

Modified: 2026-03-11T13:52:47.683

Link: CVE-2026-31827

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T03:15:22Z

Weaknesses