CVE-2026-33872

HIGH
2026-03-26 https://github.com/revelrylabs/elixir-nodejs
7.1
CVSS 4.0
Share

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
Analysis Generated
Mar 26, 2026 - 18:30 vuln.today
Patch Released
Mar 26, 2026 - 18:30 nvd
Patch available
CVE Published
Mar 26, 2026 - 18:23 nvd
HIGH 7.1

Tags

Race Condition Information Disclosure

Description

### Impact This vulnerability results in Cross-User Data Leakage or Information Disclosure due to a race condition in the worker protocol. The lack of request-response correlation creates a "stale response" vulnerability. Because the worker does not verify which request a response belongs to, it may return the next available data in the buffer to an unrelated caller. In high-throughput environments where the library processes sensitive user data (e.g., PII, authentication tokens, or private records), a timeout or high concurrent load can cause Data A (belonging to User A) to be returned to User B. This may lead to unauthorized information disclosure that is difficult to trace, as the application may not throw an error but instead provide "valid-looking" yet entirely incorrect and private data to the wrong session. ### Patches fixed in v3.1.4 ### Resources https://github.com/revelrylabs/elixir-nodejs/issues/100 https://github.com/revelrylabs/elixir-nodejs/pull/105

Analysis

Cross-user data leakage in elixir-nodejs library versions prior to 3.1.4 allows authenticated users to receive sensitive data belonging to other users through a race condition in the worker protocol's request-response handling. The lack of request-response correlation causes stale responses to be delivered to unrelated callers in high-throughput environments, potentially exposing PII, authentication tokens, or private records. …

Sign in for full analysis, threat intelligence, and remediation guidance.

Remediation

Within 24 hours: Identify all systems running elixir-nodejs versions prior to 3.1.4 and assess whether they process sensitive data in multi-user or high-concurrency contexts. Within 7 days: Upgrade elixir-nodejs to version 3.1.4 or later across all affected systems; coordinate testing to validate functionality post-patch in lower-risk environments first. …

Sign in for detailed remediation steps.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Priority Score

36
Low Medium High Critical
KEV: 0
EPSS: +0.1
CVSS: +36
POC: 0

Share

CVE-2026-33872 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy