CVE-2026-42349 PUBLISHED

Clerk: Authorization bypass when combining organization, billing, or reverification checks

Assigner: GitHub_M
Reserved: 26.04.2026 Published: 11.05.2026 Updated: 11.05.2026

Clerk JavaScript is the official JavaScript repository for Clerk authentication. has(), auth.protect(), and related authorization predicates in @clerk/shared, @clerk/nextjs, @clerk/backend, and other framework SDKs can return true for certain combined authorization checks when the result should be false, allowing a gated action to proceed for a user who does not satisfy the full set of requested conditions. This call shape can be bypassed if certain conditions are met: a has() or auth.protect() call that combines a reverification check with any of role, permission, feature, or plan, or that combines a billing check (feature or plan) with a role or permission check. This vulnerability is fixed in @clerk/clerk-js 5.125.10 and 6.7.5.

Metrics

CVSS 4.0

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
CVSS Score: 7.6

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Network	Confidentiality	High	Confidentiality	None
Attack Complexity	Low	Integrity	High	Integrity	None
Attack Requirements	Present	Availability	None	Availability	None
Privileges Required	Low
User Interaction	None

CVSS 4.0

Product Status

Vendor	clerk
Product	javascript
Versions	Version >= 5.22.0, < 5.125.10 is affected Version >= 6.0.0, < 6.7.5 is affected

Vendor	@clerk
Product	shared
Versions	Version >= 3.0.0, <= 3.47.4 is affected Version >= 4.0.0, <= 4.8.2 is affected

Vendor	@clerk
Product	backend
Versions	Version >= 2.0.0, <= 2.33.2 is affected Version >= 3.0.0, <= 3.2.13 is affected

Vendor	@clerk
Product	nextjs
Versions	Version >= 6.0.0, <= 6.39.2 is affected Version >= 7.0.0, <= 7.2.3 is affected

Vendor	@clerk
Product	clerk-react
Versions	Version >= 5.9.0, <= 5.61.5 is affected

Vendor	@clerk
Product	react
Versions	Version >= 6.0.0, <= 6.4.2 is affected

Vendor	@clerk
Product	vue
Versions	Version >= 1.0.0, <= 1.17.20 is affected Version >= 2.0.0, <= 2.0.15 is affected

Vendor	@clerk
Product	astro
Versions	Version >= 2.0.0, <= 2.17.10 is affected Version >= 3.0.0, <= 3.0.17 is affected

Vendor	@clerk
Product	nuxt
Versions	Version >= 1.0.0, <= 1.13.28 is affected Version >= 2.0.0, <= 2.2.4 is affected

Vendor	@clerk
Product	clerk-expo
Versions	Version >= 2.2.11, <= 2.19.35 is affected

Vendor	@clerk
Product	expo
Versions	Version >= 3.0.0, <= 3.2.1 is affected

Vendor	@clerk
Product	react-router
Versions	Version >= 0.0.1, <= 2.4.12 is affected Version >= 3.0.0, <= 3.1.3 is affected

Vendor	@clerk
Product	tanstack-react-start
Versions	Version >= 0.0.1, <= 0.29.10 is affected Version >= 1.0.0, <= 1.1.3 is affected

Vendor	@clerk
Product	chrome-extension
Versions	Version >= 1.3.5, <= 2.9.14 is affected Version >= 3.0.0, <= 3.1.14 is affected

Vendor	@clerk
Product	fastify
Versions	Version >= 1.0.42, <= 2.6.30 is affected Version >= 3.0.0, <= 3.1.15 is affected

Vendor	@clerk
Product	express
Versions	Version >= 0.1.0, <= 1.7.78 is affected Version >= 2.0.0, <= 2.1.5 is affected

Vendor	@clerk
Product	hono
Versions	Version >= 0.0.2, <= 0.1.15 is affected

References

https://github.com/clerk/javascript/security/advisories/GHSA-w24r-5266-9c3c

Problem Types

CWE-754: Improper Check for Unusual or Exceptional Conditions CWE
CWE-863: Incorrect Authorization CWE