Which versions of Cross-User Data Leakage are affected by CVE-2026-33872?

The elixir-nodejs library (versions prior to 3.1.4) contains a race condition in inter-process communication that allows authenticated users to intercept sensitive data intended for other users,…. A patch is available.

Cross-User Data Leakage CVE-2026-33872

Q: What is the CVSS score of CVE-2026-33872?

CVE-2026-33872 has a CVSS 4.0 base score of 7.1 (High). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.1%.

HIGH

Race Condition (CWE-362)

2026-03-26 https://github.com/revelrylabs/elixir-nodejs

Information Disclosure Race Condition

7.1

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

Analysis Generated

Mar 26, 2026 - 18:30 vuln.today

Patch released

Mar 26, 2026 - 18:30 nvd

Patch available

CVE Published

Mar 26, 2026 - 18:23 nvd

HIGH 7.1

DescriptionNVD

Impact

This vulnerability results in Cross-User Data Leakage or Information Disclosure due to a race condition in the worker protocol.

The lack of request-response correlation creates a "stale response" vulnerability. Because the worker does not verify which request a response belongs to, it may return the next available data in the buffer to an unrelated caller.

In high-throughput environments where the library processes sensitive user data (e.g., PII, authentication tokens, or private records), a timeout or high concurrent load can cause Data A (belonging to User A) to be returned to User B.

This may lead to unauthorized information disclosure that is difficult to trace, as the application may not throw an error but instead provide "valid-looking" yet entirely incorrect and private data to the wrong session.

Patches

fixed in v3.1.4

Resources

https://github.com/revelrylabs/elixir-nodejs/issues/100

https://github.com/revelrylabs/elixir-nodejs/pull/105

AnalysisAI

Cross-user data leakage in elixir-nodejs library versions prior to 3.1.4 allows authenticated users to receive sensitive data belonging to other users through a race condition in the worker protocol's request-response handling. The lack of request-response correlation causes stale responses to be delivered to unrelated callers in high-throughput environments, potentially exposing PII, authentication tokens, or private records. …

RemediationAI

Within 24 hours: Identify all systems running elixir-nodejs versions prior to 3.1.4 and assess whether they process sensitive data in multi-user or high-concurrency contexts. Within 7 days: Upgrade elixir-nodejs to version 3.1.4 or later across all affected systems; coordinate testing to validate functionality post-patch in lower-risk environments first. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-33872 vulnerability details – vuln.today

Back

Cross-User Data Leakage CVE-2026-33872

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

Impact

Patches

Resources

AnalysisAI

RemediationAI

Analysis

Full analysis requires sign-in

Share

Cross-User Data Leakage CVE-2026-33872

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

Impact

Patches

Resources

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code