CVE-2026-42349
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
Summary
Clerk JavaScript is the official JavaScript repository for Clerk authentication. has(), auth.protect(), and related authorization predicates in @clerk/shared, @clerk/nextjs, @clerk/backend, and other framework SDKs can return true for certain combined authorization checks when the result should be false, allowing a gated action to proceed for a user who does not satisfy the full set of requested conditions. This call shape can be bypassed if certain conditions are met: a has() or auth.protect() call that combines a reverification check with any of role, permission, feature, or plan, or that combines a billing check (feature or plan) with a role or permission check. This vulnerability is fixed in @clerk/clerk-js 5.125.10 and 6.7.5.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| clerk | javascript | >= 5.22.0, < 5.125.10 | affected |
| clerk | javascript | >= 6.0.0, < 6.7.5 | affected |
| @clerk | shared | >= 3.0.0, <= 3.47.4 | affected |
| @clerk | shared | >= 4.0.0, <= 4.8.2 | affected |
| @clerk | backend | >= 2.0.0, <= 2.33.2 | affected |
| @clerk | backend | >= 3.0.0, <= 3.2.13 | affected |
| @clerk | nextjs | >= 6.0.0, <= 6.39.2 | affected |
| @clerk | nextjs | >= 7.0.0, <= 7.2.3 | affected |
| @clerk | clerk-react | >= 5.9.0, <= 5.61.5 | affected |
| @clerk | react | >= 6.0.0, <= 6.4.2 | affected |
| @clerk | vue | >= 1.0.0, <= 1.17.20 | affected |
| @clerk | vue | >= 2.0.0, <= 2.0.15 | affected |
| @clerk | astro | >= 2.0.0, <= 2.17.10 | affected |
| @clerk | astro | >= 3.0.0, <= 3.0.17 | affected |
| @clerk | nuxt | >= 1.0.0, <= 1.13.28 | affected |
| @clerk | nuxt | >= 2.0.0, <= 2.2.4 | affected |
| @clerk | clerk-expo | >= 2.2.11, <= 2.19.35 | affected |
| @clerk | expo | >= 3.0.0, <= 3.2.1 | affected |
| @clerk | react-router | >= 0.0.1, <= 2.4.12 | affected |
| @clerk | react-router | >= 3.0.0, <= 3.1.3 | affected |
| @clerk | tanstack-react-start | >= 0.0.1, <= 0.29.10 | affected |
| @clerk | tanstack-react-start | >= 1.0.0, <= 1.1.3 | affected |
| @clerk | chrome-extension | >= 1.3.5, <= 2.9.14 | affected |
| @clerk | chrome-extension | >= 3.0.0, <= 3.1.14 | affected |
| @clerk | fastify | >= 1.0.42, <= 2.6.30 | affected |
| @clerk | fastify | >= 3.0.0, <= 3.1.15 | affected |
| @clerk | express | >= 0.1.0, <= 1.7.78 | affected |
| @clerk | express | >= 2.0.0, <= 2.1.5 | affected |
| @clerk | hono | >= 0.0.2, <= 0.1.15 | affected |
Weaknesses
- CWE-754: CWE-754: Improper Check for Unusual or Exceptional Conditions
- CWE-863: CWE-863: Incorrect Authorization
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: poc
- Automatable: no
- Technical Impact: partial
Additional References
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.