CVE-2026-32887: Effect `AsyncLocalStorage` context lost/contaminated inside Effect fibers under concurrent load with RPC
| Symptom | Severity |
|---|---|
auth() returns wrong user’s session | Critical — authentication bypass |
cookies() / headers() from Next.js read wrong request | High — data leakage |
| OpenTelemetry trace context crosses requests | Medium — incorrect traces |
| Works locally, fails in production | Hard to diagnose — only manifests under concurrent load |
References
Code Behaviors & Features
Detect and mitigate CVE-2026-32887 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →