The vulnerability CVE-2026-27695 affects the zeroae zae-limiter library, a rate limiting tool that implements the token bucket algorithm to control request rates. Prior to version 0.10.1, zae-limiter stores all rate limit buckets for a single entity under the same DynamoDB partition key formatted as `namespace/ENTITY#{id}`. DynamoDB enforces throughput limits on a per-partition basis, typically around 1,000 write capacity units (WCU) per second. When a high-traffic entity generates requests exceeding this limit, DynamoDB throttles requests to that partition, causing delays and degraded service availability. Additionally, because multiple buckets share the same partition key, other entities co-located in that partition may also experience throttling and service degradation. This is a classic example of CWE-770: Allocation of Resources Without Limits or Throttling, where resource consumption is not properly isolated or limited, leading to denial-of-service conditions. The vulnerability does not allow unauthorized data access or modification but impacts availability. The fix introduced in version 0.10.1 involves changing the partition key strategy to distribute buckets across partitions, preventing a single entity from overwhelming a partition's throughput capacity. No known exploits are reported in the wild, but the vulnerability poses a risk to service reliability for deployments using affected versions.

The primary impact of this vulnerability is on service availability. Organizations using zae-limiter versions prior to 0.10.1 may experience degraded performance or denial of service for high-traffic entities due to DynamoDB throttling. This can affect critical applications relying on rate limiting for traffic shaping, API protection, or abuse prevention. The shared partition key design means that not only the high-traffic entity but also other entities sharing the partition can suffer service degradation, potentially amplifying the impact. While confidentiality and integrity are not affected, the availability impact can disrupt business operations, degrade user experience, and increase operational costs due to troubleshooting and mitigation efforts. The vulnerability is exploitable remotely with low privileges and no user interaction, making it accessible to attackers or even legitimate users generating excessive traffic. Organizations with high-volume APIs or services using zae-limiter and DynamoDB are at particular risk. The absence of known exploits suggests limited active targeting but does not eliminate the risk of future exploitation or accidental service outages.

The most effective mitigation is to upgrade zae-limiter to version 0.10.1 or later, which implements a partition key strategy that distributes rate limit buckets to avoid DynamoDB throughput bottlenecks. Until upgrading is possible, organizations should monitor DynamoDB partition-level metrics closely to detect throttling events and identify high-traffic entities causing excessive load. Implementing additional application-level rate limiting or traffic shaping upstream can reduce the risk of overwhelming partitions. Consider isolating high-traffic entities into separate namespaces or partitions manually if feasible. Review and optimize DynamoDB table capacity settings, including provisioned throughput or on-demand capacity modes, to better handle peak loads. Employ alerting for throttling and latency anomalies to enable rapid response. Finally, conduct load testing to understand traffic patterns and validate that rate limiting configurations do not cause unintended service degradation.