application outage via PUT /registry/org/:shortname/user/:username

[ElectricNroff]

Some types of API requests apparently cause the CVE Services application on cveawg-test.mitre.org to restart, leading to about a minute of downtime for each such request.

Steps to reproduce:

create a user through a POST of {"username": "test56789@example.com" } to https://cveawg-test.mitre.org/api/org/exampleCNA/user

outcome:

{"message":"test56789@example.com was successfully created.","created":{"username":"test56789@example.com",
"UUID":"9a1d30a0-6a76-4d42-a633-613f310ef42f","secret":"[REDACTED]","active":true,
"org_UUID":"ee1fa4c6-8d34-4353-ad97-194c1b986b8b"}}

Make a GET request for https://cveawg-test.mitre.org/api/registry/org/exampleCNA/user/test56789@example.com

outcome:

{"UUID":"9a1d30a0-6a76-4d42-a633-613f310ef42f","username":"test56789@example.com","role":"","status":
"active","created":"2026-02-19T05:02:20.337Z","last_updated":"2026-02-19T05:02:20.337Z"}

Make a PUT request of {"username":"test56789@example.com"} to https://cveawg-test.mitre.org/api/registry/org/exampleCNA/user/test56789@example.com

outcome:

HTTP/2 502
server: awselb/2.0
date: Thu, 19 Feb 2026 05:07:36 GMT
content-type: text/html
content-length: 122

<html>
<head><title>502 Bad Gateway</title></head>
<body>
<center><h1>502 Bad Gateway</h1></center>
</body>
</html>

At this point, the application apparently goes down for about a minute but automatically restarts. If one tries to access it during the restart period, the response to any https://cveawg-test.mitre.org request (even unrelated valid requests without authentication such as curl https://cveawg-test.mitre.org/api/cve/CVE-2025-0001) transitions across three different 5xx HTTP status codes. Specifically, responses are first:

HTTP/2 502
server: awselb/2.0
date: Thu, 19 Feb 2026 05:31:19 GMT
content-type: text/html
content-length: 122

<html>
<head><title>502 Bad Gateway</title></head>
<body>
<center><h1>502 Bad Gateway</h1></center>
</body>
</html>

and then:

HTTP/2 504
server: awselb/2.0
date: Thu, 19 Feb 2026 05:31:44 GMT
content-type: text/html
content-length: 132

<html>
<head><title>504 Gateway Time-out</title></head>
<body>
<center><h1>504 Gateway Time-out</h1></center>
</body>
</html>

and then:

HTTP/2 503
server: awselb/2.0
date: Thu, 19 Feb 2026 05:32:08 GMT
content-type: text/html
content-length: 162

<html>
<head><title>503 Service Temporarily Unavailable</title></head>
<body>
<center><h1>503 Service Temporarily Unavailable</h1></center>
</body>
</html>

Finally, the application has successfully restarted and responses are normal such as HTTP/2 200 for the /api/cve/CVE-2025-0001 call.