CVE-2026-32887
Received Received - Intake
AsyncLocalStorage Context Leak in Effect Framework Causes Session Mix-up

Publication date: 2026-03-20

Last updated on: 2026-04-14

Assigner: GitHub, Inc.

Description
Effect is a TypeScript framework that consists of several packages that work together to help build TypeScript applications. Prior to version 3.20.0, when using `RpcServer.toWebHandler` (or `HttpApp.toWebHandlerRuntime`) inside a Next.js App Router route handler, any Node.js `AsyncLocalStorage`-dependent API called from within an Effect fiber can read another concurrent request's context β€” or no context at all. Under production traffic, `auth()` from `@clerk/nextjs/server` returns a different user's session. Version 3.20.0 contains a fix for the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-20
Last Modified
2026-04-14
Generated
2026-06-16
AI Q&A
2026-03-21
EPSS Evaluated
2026-06-15
NVD
CVE-2026-32887
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
effectful effect to 3.20.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-362 The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Effect TypeScript framework prior to version 3.20.0. When using RpcServer.toWebHandler or HttpApp.toWebHandlerRuntime inside a Next.js App Router route handler, any Node.js AsyncLocalStorage-dependent API called within an Effect fiber can incorrectly read the context of another concurrent request or no context at all.

This means that under production traffic, the auth() function from @clerk/nextjs/server may return a different user's session than expected, leading to potential session confusion.

The issue was fixed in version 3.20.0 of the Effect framework.

Impact Analysis

This vulnerability can lead to serious security issues where one user's request context is mixed up with another's.

Specifically, it can cause the authentication function to return the wrong user's session, potentially allowing unauthorized access to another user's data or actions.

Such session confusion can result in data leakage, unauthorized operations, and compromise of user privacy.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate this vulnerability, upgrade the Effect TypeScript framework to version 3.20.0 or later, which contains the fix for the issue where AsyncLocalStorage-dependent APIs could leak context between concurrent requests.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-32887. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart