CVE-2026-41248

Summary

Clerk JavaScript is the official JavaScript repository for Clerk authentication. createRouteMatcher in @clerk/nextjs, @clerk/nuxt, and @clerk/astro can be bypassed by certain crafted requests, allowing them to skip middleware gating and reach downstream handlers. This vulnerability is fixed in @clerk/astro 1.5.7, 2.17.10, and 3.0.15; @clerk/nextjs 5.7.6, 6.39.2, and 7.2.1; @clerk/nuxt 1.13.28 and 2.2.2; and @clerk/shared 2.22.1, 3.47.4, anc 4.8.1

Affected Software

VendorProductVersion RangeStatus
clerkastro>= 0.0.1, < 1.5.7affected
clerkastro>= 2.0.0-snapshot.v20241206174604, <= 2.17.9affected
clerkastro>= 3.0.0, < 3.0.15affected
clerknextjs>= 5.0.0, < 5.7.6affected
clerknextjs>= 6.0.0-snapshot.vb87a27f, < 6.39.2affected
clerknextjs>= 7.0.0, < 7.2.1affected
clerknuxt>= 1.1.0, < 1.13.28affected
clerknuxt>= 2.0.0, < 2.2.2affected
clerkshared>= 2.20.17, < 2.22.1affected
clerkshared>= 3.0.0-canary.v20250225091530, < 3.47.4affected
clerkshared>= 4.0.0, < 4.8.1affected

Weaknesses

  • CWE-436: CWE-436: Interpretation Conflict
  • CWE-863: CWE-863: Incorrect Authorization

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References