VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-ze6s-bdv8-qqb1

Essentials
Severities (13)
References (5)
Severity details (9)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-ze6s-bdv8-qqb1
Aliases	CVE-2026-32887 GHSA-38f7-945m-qr2g
Summary	Effect is a TypeScript framework that consists of several packages that work together to help build TypeScript applications. Prior to version 3.20.0, when using `RpcServer.toWebHandler` (or `HttpApp.toWebHandlerRuntime`) inside a Next.js App Router route handler, any Node.js `AsyncLocalStorage`-dependent API called from within an Effect fiber can read another concurrent request's context — or no context at all. Under production traffic, `auth()` from `@clerk/nextjs/server` returns a different user's session. Version 3.20.0 contains a fix for the issue.
Status	Published
Exploitability	0.5
Weighted Severity	8.0
Risk	4.0
Affected and Fixed Packages	Package Details

Weaknesses (3)

CWE-362	Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
epss	0.00015	https://api.first.org/data/v1/epss?cve=CVE-2026-32887
epss	0.00015	https://api.first.org/data/v1/epss?cve=CVE-2026-32887
epss	0.00015	https://api.first.org/data/v1/epss?cve=CVE-2026-32887
epss	0.00015	https://api.first.org/data/v1/epss?cve=CVE-2026-32887
cvssv3.1_qr	HIGH	https://github.com/advisories/GHSA-38f7-945m-qr2g
cvssv3.1	7.4	https://github.com/Effect-TS/effect
generic_textual	HIGH	https://github.com/Effect-TS/effect
cvssv3.1	7.4	https://github.com/Effect-TS/effect/security/advisories/GHSA-38f7-945m-qr2g
cvssv3.1_qr	HIGH	https://github.com/Effect-TS/effect/security/advisories/GHSA-38f7-945m-qr2g
generic_textual	HIGH	https://github.com/Effect-TS/effect/security/advisories/GHSA-38f7-945m-qr2g
ssvc	Track	https://github.com/Effect-TS/effect/security/advisories/GHSA-38f7-945m-qr2g
cvssv3.1	7.4	https://nvd.nist.gov/vuln/detail/CVE-2026-32887
generic_textual	HIGH	https://nvd.nist.gov/vuln/detail/CVE-2026-32887

Reference id	Reference type	URL
		https://api.first.org/data/v1/epss?cve=CVE-2026-32887
		https://github.com/Effect-TS/effect
		https://nvd.nist.gov/vuln/detail/CVE-2026-32887
GHSA-38f7-945m-qr2g		https://github.com/advisories/GHSA-38f7-945m-qr2g
GHSA-38f7-945m-qr2g		https://github.com/Effect-TS/effect/security/advisories/GHSA-38f7-945m-qr2g

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N Found at https://github.com/Effect-TS/effect

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N Found at https://github.com/Effect-TS/effect/security/advisories/GHSA-38f7-945m-qr2g

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-25T13:36:39Z/ Found at https://github.com/Effect-TS/effect/security/advisories/GHSA-38f7-945m-qr2g

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2026-32887

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.02966
EPSS Score	0.00015
Published At	June 11, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-06-11T16:49:21.045211+00:00	Vulnrichment	Import	https://github.com/cisagov/vulnrichment/blob/develop/2026/32xxx/CVE-2026-32887.json	38.6.0