CVE-2026-42349
Analyzed Analyzed - Analysis Complete
Authorization Bypass in Clerk JavaScript SDK

Publication date: 2026-05-11

Last updated on: 2026-06-01

Assigner: GitHub, Inc.

Description
Clerk JavaScript is the official JavaScript repository for Clerk authentication. has(), auth.protect(), and related authorization predicates in @clerk/shared, @clerk/nextjs, @clerk/backend, and other framework SDKs can return true for certain combined authorization checks when the result should be false, allowing a gated action to proceed for a user who does not satisfy the full set of requested conditions. This call shape can be bypassed if certain conditions are met: a has() or auth.protect() call that combines a reverification check with any of role, permission, feature, or plan, or that combines a billing check (feature or plan) with a role or permission check. This vulnerability is fixed in @clerk/clerk-js 5.125.10 and 6.7.5.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-11
Last Modified
2026-06-01
Generated
2026-06-21
AI Q&A
2026-05-11
EPSS Evaluated
2026-06-19
NVD
CVE-2026-42349
Affected Vendors & Products
Showing 29 associated CPEs
Vendor Product Version / Range
clerk clerk/astro From 2.0.0 (inc) to 2.17.11 (exc)
clerk clerk/astro From 3.0.0 (inc) to 3.0.18 (exc)
clerk clerk/backend From 2.0.0 (inc) to 2.33.3 (exc)
clerk clerk/chrome-extension From 1.3.5 (inc) to 2.9.15 (exc)
clerk clerk/chrome-extension From 3.0.0 (inc) to 3.1.15 (exc)
clerk clerk/clerk-expo From 2.2.11 (inc) to 2.19.36 (exc)
clerk clerk/clerk-js From 5.22.0 (inc) to 5.125.10 (exc)
clerk clerk/clerk-js From 6.0.0 (inc) to 6.7.5 (exc)
clerk clerk/clerk-react From 5.9.0 (inc) to 5.61.6 (exc)
clerk clerk/expo From 3.0.0 (inc) to 3.2.2 (exc)
clerk clerk/express From 0.1.0 (inc) to 1.7.79 (exc)
clerk clerk/express From 2.0.0 (inc) to 2.1.6 (exc)
clerk clerk/fastify From 1.0.42 (inc) to 2.6.31 (exc)
clerk clerk/fastify From 3.0.0 (inc) to 3.1.16 (exc)
clerk clerk/hono From 0.0.2 (inc) to 0.1.16 (exc)
clerk clerk/nextjs From 6.0.0 (inc) to 6.39.3 (inc)
clerk clerk/nextjs From 7.0.0 (inc) to 7.2.4 (exc)
clerk clerk/nuxt From 1.0.0 (inc) to 1.13.29 (exc)
clerk clerk/react From 6.0.0 (inc) to 6.4.3 (exc)
clerk clerk/react-router From 0.0.1 (inc) to 2.4.13 (exc)
clerk clerk/react-router From 3.0.0 (inc) to 3.1.4 (exc)
clerk clerk/shared From 3.0.0 (inc) to 3.47.5 (exc)
clerk clerk/shared From 4.0.0 (inc) to 4.8.3 (exc)
clerk clerk/tanstack-react-start From 0.0.1 (inc) to 0.29.11 (exc)
clerk clerk/tanstack-react-start From 1.0.0 (inc) to 1.1.4 (exc)
clerk clerk/vue From 1.0.0 (inc) to 1.17.21 (exc)
clerk clerk/vue From 2.0.0 (inc) to 2.0.16 (exc)
clerk clerk/backend From 3.0.0 (inc) to 3.2.14 (exc)
clerk clerk/nuxt From 2.0.0 (inc) to 2.2.5 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
CWE-754 The product does not check or incorrectly checks for unusual or exceptional conditions that are not expected to occur frequently during day to day operation of the product.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is an authorization bypass issue in multiple Clerk SDK packages, including @clerk/astro, @clerk/backend, and @clerk/chrome-extension. It occurs when certain combined authorization checks using has() or auth.protect() calls incorrectly return true, allowing users to perform actions they are not authorized for.

Specifically, the problem arises when combining reverification checks with role, permission, feature, or plan checks, or when combining billing checks with role or permission checks. This flaw lets a user bypass the intended authorization gates.

The vulnerability does not affect session or token verification, only the combined authorization predicates. It has been fixed in versions @clerk/clerk-js 5.125.10 and 6.7.5.

Impact Analysis

This vulnerability can allow unauthorized users to bypass authorization checks and perform actions or access resources they should not be allowed to. This could lead to unauthorized access to sensitive features or data within applications using the affected Clerk SDKs.

While session and token verification remain secure, the flaw in combined authorization checks can compromise confidentiality and integrity of the system by granting improper permissions.

Applications that rely on combined authorization conditions in a single call are particularly at risk unless they upgrade to patched versions or implement workarounds such as splitting combined checks into sequential single-condition checks.

Detection Guidance

This vulnerability involves authorization bypass in Clerk JavaScript SDKs when certain combined authorization checks are used in has() or auth.protect() calls.

Detection involves reviewing your application's use of these functions to identify calls that combine reverification checks with role, permission, feature, or plan checks, or combine billing checks with role or permission checks.

There are no specific network or system commands provided to detect this vulnerability automatically.

A practical approach is to audit your source code for combined authorization predicates in the affected Clerk SDK packages (@clerk/shared, @clerk/nextjs, @clerk/backend, etc.).

Mitigation Strategies

The primary mitigation is to upgrade all affected Clerk SDK packages to the patched versions: @clerk/clerk-js 5.125.10 or 6.7.5 and corresponding patched versions for other packages.

As a temporary workaround, avoid combining multiple authorization checks in a single has() or auth.protect() call. Instead, split combined checks into sequential single-condition checks.

Review your authorization logic to ensure that no combined checks that could trigger the bypass remain in your codebase until you can upgrade.

Compliance Impact

This vulnerability allows unauthorized users to bypass certain authorization checks, potentially granting access to protected actions or data that they should not have. Such unauthorized access could lead to violations of data protection and privacy requirements mandated by standards like GDPR and HIPAA, which require strict access controls to sensitive personal and health information.

Because the vulnerability impacts confidentiality and integrity by allowing unauthorized access, it may increase the risk of non-compliance with regulations that mandate proper authorization and protection of sensitive data.

However, sessions and token verification remain unaffected, which may mitigate some risk but does not eliminate the compliance concerns arising from authorization bypass.

Users of affected Clerk SDKs are advised to upgrade to patched versions to restore proper authorization enforcement and maintain compliance with relevant standards.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-42349. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart