Compliance Impact

CVE-2026-34076 involves a Server-Side Request Forgery (SSRF) vulnerability that can lead to the leakage of sensitive secret keys (Clerk-Secret-Key) to attacker-controlled servers.

Exposure of such sensitive authentication keys can compromise the confidentiality and integrity of user data, which may impact compliance with data protection regulations like GDPR and HIPAA that require safeguarding sensitive information.

Organizations using affected versions of Clerk packages with the vulnerable frontendApiProxy feature enabled should promptly patch the vulnerability and rotate secret keys to mitigate risks of unauthorized access and potential data breaches.

Useful 0 Not Useful 0

Executive Summary

CVE-2026-34076 is a Server-Side Request Forgery (SSRF) vulnerability found in the optional frontend API proxy feature of several Clerk JavaScript packages, including @clerk/backend, @clerk/express, @clerk/fastify, and @clerk/hono. This vulnerability allows an unauthenticated attacker to craft a specially designed request path that causes the proxy to send the application's sensitive Clerk-Secret-Key to a server controlled by the attacker.

The issue arises because the clerkFrontendApiProxy function does not properly validate or restrict the destination of proxied requests. By sending a request with a crafted path containing double slashes, the attacker can manipulate the proxy to forward the secret key to an attacker-controlled host.

This vulnerability affects only applications that have explicitly enabled the frontendApiProxy feature, which is not enabled by default. It has been patched in later versions of the affected packages.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have a significant impact because it allows an attacker to obtain the Clerk-Secret-Key, a sensitive credential used by the application for authentication purposes.

With access to this secret key, an attacker could potentially impersonate the application or its users, leading to unauthorized access, data breaches, and compromise of the application's integrity and confidentiality.

The vulnerability has a high severity rating with a CVSS score of 7.4, indicating a serious risk. It requires immediate patching of the affected packages and rotation of the Clerk-Secret-Key to mitigate potential exploitation.

Useful 0 Not Useful 0

Detection Guidance

To detect this vulnerability on your system, you should audit your access logs for requests to the proxy endpoint that contain double slashes (//) in the request path, as these may indicate exploitation attempts.

Additionally, search your codebase for usage of the `frontendApiProxy` or `clerkFrontendApiProxy` features to determine if your application is affected.

While specific commands are not provided, you can use commands like the following to search logs and code:

• To search logs for suspicious requests: `grep -r '/__clerk/.*//.*' /path/to/access/logs`
• To search your codebase for usage of the vulnerable proxy feature: `grep -r 'frontendApiProxy' /path/to/your/code` or `grep -r 'clerkFrontendApiProxy' /path/to/your/code`

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include upgrading the affected Clerk packages to the patched versions:

• Upgrade `@clerk/hono` to version 0.1.5 or later.
• Upgrade `@clerk/express` to version 2.0.7 or later.
• Upgrade `@clerk/backend` to version 3.2.3 or later.
• Upgrade `@clerk/fastify` to version 3.1.5 or later.

After upgrading, immediately rotate your `Clerk-Secret-Key` in the Clerk Dashboard, as attackers may have already captured the key.

Deploy the application with the new secret key before revoking the old one to avoid service disruption.

Useful 0 Not Useful 0