CVE-2026-32887 in effect
Summary
by MITRE • 03/21/2026
Effect is a TypeScript framework that consists of several packages that work together to help build TypeScript applications. Prior to version 3.20.0, when using `RpcServer.toWebHandler` (or `HttpApp.toWebHandlerRuntime`) inside a Next.js App Router route handler, any Node.js `AsyncLocalStorage`-dependent API called from within an Effect fiber can read another concurrent request's context — or no context at all. Under production traffic, `auth()` from `@clerk/nextjs/server` returns a different user's session. Version 3.20.0 contains a fix for the issue.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 03/27/2026
The vulnerability described in CVE-2026-32887 affects the Effect TypeScript framework, specifically targeting applications built with Next.js App Router that utilize the RpcServer.toWebHandler or HttpApp.toWebHandlerRuntime methods. This security flaw represents a critical context leakage issue that fundamentally undermines the isolation guarantees expected in concurrent web application environments. The vulnerability manifests when Node.js AsyncLocalStorage-dependent APIs are invoked from within Effect fibers, creating a scenario where request contexts become intertwined across concurrent requests.
The technical root cause of this vulnerability lies in the improper handling of asynchronous context propagation within the Effect framework's fiber execution model. When Effect fibers execute within Next.js route handlers that utilize AsyncLocalStorage, the framework fails to maintain proper isolation between concurrent request contexts. This results in a race condition where one request's context can be inadvertently accessed by another concurrent request, leading to data contamination and potential security breaches. The issue specifically impacts the execution environment where fibers interact with Node.js's AsyncLocalStorage mechanism, which is designed to maintain context boundaries across asynchronous operations.
The operational impact of this vulnerability is severe and directly affects authentication and session management within applications using the affected framework version. Under production traffic conditions, the @clerk/nextjs/server auth() function begins returning incorrect user sessions, potentially allowing one user to access another user's session data. This context leakage can lead to unauthorized access to sensitive information, session hijacking, and privilege escalation attacks. The vulnerability's manifestation becomes more pronounced under concurrent request loads, making it particularly dangerous in production environments where multiple users interact with the application simultaneously.
This vulnerability maps to CWE-367: Time-of-Check to Time-of-Use (TOCTOU) and CWE-284: Improper Access Control, as it involves improper handling of concurrent access to shared resources and context isolation. From an ATT&CK framework perspective, this vulnerability enables privilege escalation and credential access through the exploitation of context leakage in concurrent request processing. The issue also aligns with T1566: Phishing and T1078: Valid Accounts, as compromised session contexts could lead to unauthorized access to user accounts and data. The fix implemented in version 3.20.0 addresses the core issue by properly isolating AsyncLocalStorage contexts within Effect fibers, ensuring that each concurrent request maintains its own distinct execution context.
Organizations using the Effect framework with Next.js should immediately upgrade to version 3.20.0 or later to remediate this vulnerability. Additional mitigations include implementing proper request context isolation at the application level, monitoring for unusual authentication patterns, and conducting thorough security assessments of applications that rely on shared state between concurrent requests. The vulnerability highlights the importance of proper asynchronous context handling in modern web frameworks and the critical need for frameworks to maintain isolation guarantees when executing concurrent operations.