VYPR
High severity7.4NVD Advisory· Published Mar 20, 2026· Updated Apr 14, 2026

CVE-2026-32887

CVE-2026-32887

Description

Effect is a TypeScript framework that consists of several packages that work together to help build TypeScript applications. Prior to version 3.20.0, when using RpcServer.toWebHandler (or HttpApp.toWebHandlerRuntime) inside a Next.js App Router route handler, any Node.js AsyncLocalStorage-dependent API called from within an Effect fiber can read another concurrent request's context — or no context at all. Under production traffic, auth() from @clerk/nextjs/server returns a different user's session. Version 3.20.0 contains a fix for the issue.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
effectnpm
< 3.20.03.20.0

Affected products

10

Patches

Vulnerability mechanics

References

3

News mentions

0

No linked articles in our index yet.