CVE-2026-31827 Overview
CVE-2026-31827 is a Race Condition vulnerability affecting Alienbin, an anonymous code and text sharing web service. In version 1.0.0 and earlier, the /save endpoint in server.js drops and recreates the MongoDB TTL index on the entire post collection for every new paste submission. This design flaw allows an attacker to manipulate the TTL (Time-To-Live) settings for all documents in the collection, effectively deleting other users' pastes prematurely.
When User B submits a paste with a short TTL (e.g., 30 seconds), the TTL index is recreated with expireAfterSeconds: 30 for all documents in the collection. This causes User A's paste (originally set to 7 days) to be deleted after 30 seconds. An attacker can intentionally delete all existing pastes by repeatedly submitting pastes with ttlOption=30s.
Critical Impact
Attackers can cause complete data loss of all stored pastes by repeatedly submitting pastes with minimal TTL values, leading to denial of service for all platform users.
Affected Products
- Alienbin version 1.0.0 and earlier
- Self-hosted Alienbin instances using MongoDB
Discovery Timeline
- 2026-03-10 - CVE CVE-2026-31827 published to NVD
- 2026-03-11 - Last updated in NVD database
Technical Details for CVE-2026-31827
Vulnerability Analysis
This vulnerability stems from a fundamental architectural flaw in how Alienbin manages MongoDB TTL indexes. Rather than implementing per-document TTL values properly, the application recreates the global TTL index on every paste submission. This race condition (CWE-362) creates a Time-of-Check Time-of-Use (TOCTOU) vulnerability where the intended TTL of previously stored documents is overwritten by subsequent submissions.
The attack requires only low privileges (authenticated access to create pastes) and can be executed remotely over the network. The impact is primarily on availability, as attackers can cause unauthorized deletion of data belonging to all users of the service. No confidentiality or integrity impacts are present since the attacker cannot read or modify paste contents directly.
Root Cause
The root cause is improper index management in the /save endpoint within server.js. Instead of using MongoDB's native per-document TTL capabilities or maintaining separate collections for different TTL policies, the application drops and recreates the entire TTL index with each paste submission. This violates the principle of isolation between user operations and creates a global state race condition.
Attack Vector
The attack vector is network-based with low complexity. An attacker with basic access to create pastes can exploit this vulnerability by:
- Creating a new paste with the minimum allowed TTL value (30 seconds)
- The /save endpoint drops the existing TTL index on the post collection
- A new TTL index is created with expireAfterSeconds: 30
- MongoDB's TTL monitor thread deletes all documents older than 30 seconds
- Repeating this attack continuously ensures persistent data destruction
The vulnerability mechanism involves the /save endpoint in server.js that handles paste submissions. When processing a new paste with a ttlOption parameter, the endpoint calls dropIndex() on the existing TTL index and immediately calls createIndex() with the new expireAfterSeconds value derived from the user's input. This global index recreation affects all documents in the collection, regardless of their original TTL settings. For detailed technical analysis, see the GitHub Security Advisory.
Detection Methods for CVE-2026-31827
Indicators of Compromise
- Frequent MongoDB index drop and create operations on the post collection
- Sudden deletion of large numbers of paste documents
- Multiple rapid paste submissions with short TTL values from single IP addresses or sessions
- MongoDB logs showing repeated dropIndex and createIndex commands
Detection Strategies
- Monitor MongoDB operations logs for unusual index modification patterns
- Implement rate limiting alerts on the /save endpoint
- Set up anomaly detection for paste document deletion rates
- Track TTL index modifications and alert on high-frequency changes
Monitoring Recommendations
- Enable MongoDB profiling to capture slow operations and index modifications
- Implement application-level logging for TTL parameter values in paste submissions
- Set up alerts for batch document deletions in the post collection
- Monitor database disk usage for sudden drops indicating mass deletions
How to Mitigate CVE-2026-31827
Immediate Actions Required
- Upgrade Alienbin to a patched version when available
- Implement rate limiting on the /save endpoint to prevent abuse
- Consider disabling variable TTL options temporarily until patched
- Back up existing paste data regularly to prevent permanent data loss
Patch Information
A security advisory has been published for this vulnerability. Refer to the GitHub Security Advisory (GHSA-hqvr-6v89-gwff) for official patch information and updated versions. The fix should implement per-document TTL expiration using MongoDB's native expireAt field rather than recreating global indexes.
Workarounds
- Restrict TTL options to a fixed value for all pastes until the vulnerability is patched
- Remove the dynamic TTL functionality from the /save endpoint
- Implement server-side validation that ignores client-provided TTL values
- Deploy the application with a reverse proxy that filters or normalizes TTL parameters
# Example: Nginx rate limiting for /save endpoint
limit_req_zone $binary_remote_addr zone=save_limit:10m rate=5r/m;
location /save {
limit_req zone=save_limit burst=10 nodelay;
proxy_pass http://alienbin_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
