CVE-2026-32887
Published: 20 March 2026
Summary
CVE-2026-32887 is a high-severity Race Condition (CWE-362) vulnerability in Effectful Effect. Its CVSS base score is 7.4 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 3.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-4 (Information in Shared System Resources) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mandates timely patching of the Effect framework to version 3.20.0, eliminating the AsyncLocalStorage context leakage vulnerability.
Prevents unauthorized information transfer via shared system resources, addressing the cross-request context sharing in concurrent Effect fibers.
Vulnerability scanning detects the specific Effect framework CVE, enabling proactive remediation before exploitation under concurrent traffic.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes a race condition in a public-facing web request handler (Next.js + Effect RpcServer/HttpApp) that is directly exploitable over the network by unauthenticated attackers sending concurrent requests, matching the definition of T1190 Exploit Public-Facing Application. No other Enterprise techniques are directly enabled by the described flaw.
NVD Description
Effect is a TypeScript framework that consists of several packages that work together to help build TypeScript applications. Prior to version 3.20.0, when using `RpcServer.toWebHandler` (or `HttpApp.toWebHandlerRuntime`) inside a Next.js App Router route handler, any Node.js `AsyncLocalStorage`-dependent API called from…
more
within an Effect fiber can read another concurrent request's context — or no context at all. Under production traffic, `auth()` from `@clerk/nextjs/server` returns a different user's session. Version 3.20.0 contains a fix for the issue.
Deeper analysisAI
CVE-2026-32887 is a vulnerability in the Effect TypeScript framework, which consists of several packages for building TypeScript applications. It affects versions prior to 3.20.0, specifically when using `RpcServer.toWebHandler` (or `HttpApp.toWebHandlerRuntime`) inside a Next.js App Router route handler. In this configuration, any Node.js `AsyncLocalStorage`-dependent API called from within an Effect fiber can inadvertently read another concurrent request's context—or no context at all. The issue carries a CVSS score of 7.4 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N) and is classified under CWE-362 (Concurrent Execution using Shared Resource with Improper Synchronization).
The vulnerability can be exploited by unauthenticated attackers over the network who send concurrent requests under production traffic conditions, requiring high attack complexity. Exploitation allows access to sensitive context from other requests; for example, the `auth()` function from `@clerk/nextjs/server` may return a different user's session, enabling unauthorized access to user data and potentially compromising confidentiality and integrity.
The GitHub security advisory (GHSA-38f7-945m-qr2g) at https://github.com/Effect-TS/effect/security/advisories/GHSA-38f7-945m-qr2g provides details on the issue. Effect version 3.20.0 contains a fix, and affected users should upgrade to this version or later to mitigate the vulnerability.
Details
- CWE(s)