High severity7.4NVD Advisory· Published Mar 20, 2026· Updated Apr 14, 2026
CVE-2026-32887
CVE-2026-32887
Description
Effect is a TypeScript framework that consists of several packages that work together to help build TypeScript applications. Prior to version 3.20.0, when using RpcServer.toWebHandler (or HttpApp.toWebHandlerRuntime) inside a Next.js App Router route handler, any Node.js AsyncLocalStorage-dependent API called from within an Effect fiber can read another concurrent request's context — or no context at all. Under production traffic, auth() from @clerk/nextjs/server returns a different user's session. Version 3.20.0 contains a fix for the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
effectnpm | < 3.20.0 | 3.20.0 |
Affected products
10- osv-coords9 versionspkg:apk/chainguard/jitsucom-jitsu-consolepkg:apk/chainguard/langfuse-3pkg:apk/chainguard/langfuse-3-workerpkg:apk/chainguard/langfuse-fips-3pkg:apk/chainguard/langfuse-fips-3-workerpkg:apk/wolfi/jitsucom-jitsu-consolepkg:apk/wolfi/langfuse-3pkg:apk/wolfi/langfuse-3-workerpkg:npm/effect
< 2.11.0-r19+ 8 more
- (no CPE)range: < 2.11.0-r19
- (no CPE)range: < 3.163.0-r0
- (no CPE)range: < 3.163.0-r0
- (no CPE)range: < 3.163.0-r0
- (no CPE)range: < 3.163.0-r0
- (no CPE)range: < 2.11.0-r19
- (no CPE)range: < 3.163.0-r0
- (no CPE)range: < 3.163.0-r0
- (no CPE)range: < 3.20.0
Patches
Vulnerability mechanics
References
3- github.com/Effect-TS/effect/security/advisories/GHSA-38f7-945m-qr2gnvdExploitVendor AdvisoryWEB
- github.com/advisories/GHSA-38f7-945m-qr2gghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-32887ghsaADVISORY
News mentions
0No linked articles in our index yet.