CVE-2026-42349

Summary

Clerk JavaScript is the official JavaScript repository for Clerk authentication. has(), auth.protect(), and related authorization predicates in @clerk/shared, @clerk/nextjs, @clerk/backend, and other framework SDKs can return true for certain combined authorization checks when the result should be false, allowing a gated action to proceed for a user who does not satisfy the full set of requested conditions. This call shape can be bypassed if certain conditions are met: a has() or auth.protect() call that combines a reverification check with any of role, permission, feature, or plan, or that combines a billing check (feature or plan) with a role or permission check. This vulnerability is fixed in @clerk/clerk-js 5.125.10 and 6.7.5.

Affected Software

VendorProductVersion RangeStatus
clerkjavascript>= 5.22.0, < 5.125.10affected
clerkjavascript>= 6.0.0, < 6.7.5affected
@clerkshared>= 3.0.0, <= 3.47.4affected
@clerkshared>= 4.0.0, <= 4.8.2affected
@clerkbackend>= 2.0.0, <= 2.33.2affected
@clerkbackend>= 3.0.0, <= 3.2.13affected
@clerknextjs>= 6.0.0, <= 6.39.2affected
@clerknextjs>= 7.0.0, <= 7.2.3affected
@clerkclerk-react>= 5.9.0, <= 5.61.5affected
@clerkreact>= 6.0.0, <= 6.4.2affected
@clerkvue>= 1.0.0, <= 1.17.20affected
@clerkvue>= 2.0.0, <= 2.0.15affected
@clerkastro>= 2.0.0, <= 2.17.10affected
@clerkastro>= 3.0.0, <= 3.0.17affected
@clerknuxt>= 1.0.0, <= 1.13.28affected
@clerknuxt>= 2.0.0, <= 2.2.4affected
@clerkclerk-expo>= 2.2.11, <= 2.19.35affected
@clerkexpo>= 3.0.0, <= 3.2.1affected
@clerkreact-router>= 0.0.1, <= 2.4.12affected
@clerkreact-router>= 3.0.0, <= 3.1.3affected
@clerktanstack-react-start>= 0.0.1, <= 0.29.10affected
@clerktanstack-react-start>= 1.0.0, <= 1.1.3affected
@clerkchrome-extension>= 1.3.5, <= 2.9.14affected
@clerkchrome-extension>= 3.0.0, <= 3.1.14affected
@clerkfastify>= 1.0.42, <= 2.6.30affected
@clerkfastify>= 3.0.0, <= 3.1.15affected
@clerkexpress>= 0.1.0, <= 1.7.78affected
@clerkexpress>= 2.0.0, <= 2.1.5affected
@clerkhono>= 0.0.2, <= 0.1.15affected

Weaknesses

  • CWE-754: CWE-754: Improper Check for Unusual or Exceptional Conditions
  • CWE-863: CWE-863: Incorrect Authorization

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: partial

Additional References

References