CVE-2026-31827 in Alienbin
Summary
by MITRE • 03/11/2026
Alienbin is an anonymous code and text sharing web service. In 1.0.0 and earlier, the /save endpoint in server.js drops and recreates the MongoDB TTL index on the entire post collection for every new paste submission. When User B submits a paste with a short TTL (e.g., 30 seconds), the TTL index is recreated with expireAfterSeconds: 30 for all documents in the collection. This causes User A's paste (originally set to 7 days) to be deleted after 30 seconds. An attacker can intentionally delete all existing pastes by repeatedly submitting pastes with ttlOption=30s.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 03/16/2026
The vulnerability described in CVE-2026-31827 represents a critical design flaw in the Alienbin anonymous code sharing service that fundamentally undermines data persistence and integrity. This issue manifests through improper handling of MongoDB TTL (Time-To-Live) indexes within the application's /save endpoint implementation. The root cause stems from the application's decision to drop and recreate the entire TTL index on the post collection for every single paste submission, rather than implementing proper index management or utilizing individual document TTL settings. This approach creates a cascading effect where any new paste submission directly impacts the retention policy of all existing documents within the collection, regardless of their original configuration.
The technical exploitation of this vulnerability occurs through a simple yet devastating attack pattern that demonstrates poor resource management and index handling practices. When a malicious user submits a new paste with a short TTL value such as 30 seconds, the application's server.js code executes a destructive operation that removes the existing TTL index and creates a new one with the specified short expiration time. This operation affects the entire collection rather than just the individual document being processed, causing all documents in the collection to be subject to the new TTL configuration. The vulnerability directly maps to CWE-1169, which addresses improper handling of time-based expiration mechanisms in database systems, and represents a classic example of how improper index management can lead to catastrophic data loss scenarios.
The operational impact of this vulnerability extends far beyond simple data deletion, creating a persistent threat that can be exploited to systematically eliminate all stored content within the service. An attacker can execute a simple loop of paste submissions with minimal TTL values to effectively poison the entire database's retention policy, causing legitimate user content to disappear within seconds of creation. This attack vector is particularly dangerous because it does not require authentication or advanced privileges, making it accessible to any user with access to the service. The vulnerability essentially creates a race condition between legitimate content and malicious deletion attempts, where the service's own defensive mechanisms become its greatest weakness. The impact is consistent with ATT&CK technique T1485, which describes data destruction and deletion through manipulation of system resources, and demonstrates how application-level design flaws can create inherent security weaknesses.
Mitigation strategies for this vulnerability must address both the immediate operational threat and the underlying architectural issues. The most critical fix involves modifying the server.js implementation to avoid dropping and recreating the entire TTL index for each paste submission. Instead, applications should implement proper index management that preserves existing indexes while only updating individual document TTL values or using more sophisticated database management techniques. The recommended approach includes implementing a background process that manages TTL index updates asynchronously, or better yet, using MongoDB's native document-level TTL functionality where individual documents can specify their own expiration times without affecting the entire collection. Additionally, implementing rate limiting and validation of TTL values can prevent abuse while allowing legitimate functionality to continue. Organizations should also consider implementing proper monitoring and alerting for unusual index modification patterns, as these operations should be rare and predictable in normal operations. The fix should also include proper input validation and sanitization to prevent malicious users from submitting extreme TTL values that could be used to disrupt service availability or cause unintended data loss.