CVE-2026-42349
high
CVSS v3
8.1
CVSS v4 NEW
7.6
VIR risk
8.1
Description
Clerk JavaScript is the official JavaScript repository for Clerk authentication. has(), auth.protect(), and related authorization predicates in @clerk/shared, @clerk/nextjs, @clerk/backend, and other framework SDKs can return true for certain combined authorization checks when the result should be false, allowing a gated action to proceed for a user who does not satisfy the full set of requested conditions. This call shape can be bypassed if certain conditions are met: a has() or auth.protect() call that combines a reverification check with any of role, permission, feature, or plan, or that combines a billing check (feature or plan) with a role or permission check. This vulnerability is fixed in @clerk/clerk-js 5.125.10 and 6.7.5.
Predictions
Exploit likelihood
88%
Patch ETA
โ
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ if you've already worked around this in production โ publish your fix to the community-verified tier.
โ Propose a mitigation on Community โ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
Package impact
| Ecosystem | Package | Vulnerable | Fixed |
|---|---|---|---|
| npm | @clerk/shared | >=3.0.0,<3.47.5 | 3.47.5 |
| npm | @clerk/shared | >=4.0.0,<4.8.3 | 4.8.3 |
| npm | @clerk/backend | >=2.0.0,<2.33.3 | 2.33.3 |
| npm | @clerk/backend | >=3.0.0,<3.2.14 | 3.2.14 |
| npm | @clerk/nextjs | >=6.0.0,<6.39.3 | 6.39.3 |
| npm | @clerk/nextjs | >=7.0.0,<7.2.4 | 7.2.4 |
| npm | @clerk/clerk-js | >=5.22.0,<5.125.10 | 5.125.10 |
| npm | @clerk/clerk-js | >=6.0.0,<6.7.5 | 6.7.5 |
| npm | @clerk/clerk-react | >=5.9.0,<5.61.6 | 5.61.6 |
| npm | @clerk/react | >=6.0.0,<6.4.3 | 6.4.3 |
| npm | @clerk/vue | >=1.0.0,<1.17.21 | 1.17.21 |
| npm | @clerk/vue | >=2.0.0,<2.0.16 | 2.0.16 |
| npm | @clerk/astro | >=2.0.0,<2.17.11 | 2.17.11 |
| npm | @clerk/astro | >=3.0.0,<3.0.18 | 3.0.18 |
| npm | @clerk/nuxt | >=1.0.0,<1.13.29 | 1.13.29 |
| npm | @clerk/nuxt | >=2.0.0,<2.2.5 | 2.2.5 |
| npm | @clerk/clerk-expo | >=2.2.11,<2.19.36 | 2.19.36 |
| npm | @clerk/expo | >=3.0.0,<3.2.2 | 3.2.2 |
| npm | @clerk/react-router | >=0.0.1,<2.4.13 | 2.4.13 |
| npm | @clerk/react-router | >=3.0.0,<3.1.4 | 3.1.4 |
| npm | @clerk/tanstack-react-start | >=0.0.1,<0.29.11 | 0.29.11 |
| npm | @clerk/tanstack-react-start | >=1.0.0,<1.1.4 | 1.1.4 |
| npm | @clerk/chrome-extension | >=1.3.5,<2.9.15 | 2.9.15 |
| npm | @clerk/chrome-extension | >=3.0.0,<3.1.15 | 3.1.15 |
| npm | @clerk/fastify | >=1.0.42,<2.6.31 | 2.6.31 |
| npm | @clerk/fastify | >=3.0.0,<3.1.16 | 3.1.16 |
| npm | @clerk/express | >=0.1.0,<1.7.79 | 1.7.79 |
| npm | @clerk/express | >=2.0.0,<2.1.6 | 2.1.6 |
| npm | @clerk/hono | >=0.0.2,<0.1.16 | 0.1.16 |
| NPM | @clerk/hono | >= 0.0.2, <= 0.1.15 | 0.1.16 |
| NPM | @clerk/express | >= 2.0.0, <= 2.1.5 | 2.1.6 |
| NPM | @clerk/express | >= 0.1.0, <= 1.7.78 | 1.7.79 |
| NPM | @clerk/fastify | >= 3.0.0, <= 3.1.15 | 3.1.16 |
| NPM | @clerk/fastify | >= 1.0.42, <= 2.6.30 | 2.6.31 |
| NPM | @clerk/chrome-extension | >= 3.0.0, <= 3.1.14 | 3.1.15 |
| NPM | @clerk/chrome-extension | >= 1.3.5, <= 2.9.14 | 2.9.15 |
| NPM | @clerk/tanstack-react-start | >= 1.0.0, <= 1.1.3 | 1.1.4 |
| NPM | @clerk/tanstack-react-start | >= 0.0.1, <= 0.29.10 | 0.29.11 |
| NPM | @clerk/react-router | >= 3.0.0, <= 3.1.3 | 3.1.4 |
| NPM | @clerk/react-router | >= 0.0.1, <= 2.4.12 | 2.4.13 |
| NPM | @clerk/expo | >= 3.0.0, <= 3.2.1 | 3.2.2 |
| NPM | @clerk/clerk-expo | >= 2.2.11, <= 2.19.35 | 2.19.36 |
| NPM | @clerk/nuxt | >= 2.0.0, <= 2.2.4 | 2.2.5 |
| NPM | @clerk/nuxt | >= 1.0.0, <= 1.13.28 | 1.13.29 |
| NPM | @clerk/astro | >= 3.0.0, <= 3.0.17 | 3.0.18 |
| NPM | @clerk/astro | >= 2.0.0, <= 2.17.10 | 2.17.11 |
| NPM | @clerk/vue | >= 2.0.0, <= 2.0.15 | 2.0.16 |
| NPM | @clerk/vue | >= 1.0.0, <= 1.17.20 | 1.17.21 |
| NPM | @clerk/react | >= 6.0.0, <= 6.4.2 | 6.4.3 |
| NPM | @clerk/clerk-react | >= 5.9.0, <= 5.61.5 | 5.61.6 |
| NPM | @clerk/clerk-js | >= 6.0.0, <= 6.7.4 | 6.7.5 |
| NPM | @clerk/clerk-js | >= 5.22.0, <= 5.125.9 | 5.125.10 |
| NPM | @clerk/nextjs | >= 7.0.0, <= 7.2.3 | 7.2.4 |
| NPM | @clerk/nextjs | >= 6.0.0, <= 6.39.2 | 6.39.3 |
| NPM | @clerk/backend | >= 3.0.0, <= 3.2.13 | 3.2.14 |
| NPM | @clerk/backend | >= 2.0.0, <= 2.33.2 | 2.33.3 |
| NPM | @clerk/shared | >= 4.0.0, <= 4.8.2 | 4.8.3 |
| NPM | @clerk/shared | >= 3.0.0, <= 3.47.4 | 3.47.5 |
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| clerk | clerk\/astro | {"startIncluding":"2.0.0","endExcluding":"2.17.11"} | 2.17.11 |
| clerk | clerk\/astro | {"startIncluding":"3.0.0","endExcluding":"3.0.18"} | 3.0.18 |
| clerk | clerk\/backend | {"startIncluding":"2.0.0","endExcluding":"2.33.3"} | 2.33.3 |
| clerk | clerk\/backend | {"startIncluding":"3.0.0","endExcluding":"3.2.14"} | 3.2.14 |
| clerk | clerk\/chrome-extension | {"startIncluding":"1.3.5","endExcluding":"2.9.15"} | 2.9.15 |
| clerk | clerk\/chrome-extension | {"startIncluding":"3.0.0","endExcluding":"3.1.15"} | 3.1.15 |
| clerk | clerk\/clerk-expo | {"startIncluding":"2.2.11","endExcluding":"2.19.36"} | 2.19.36 |
| clerk | clerk\/clerk-js | {"startIncluding":"5.22.0","endExcluding":"5.125.10"} | 5.125.10 |
| clerk | clerk\/clerk-js | {"startIncluding":"6.0.0","endExcluding":"6.7.5"} | 6.7.5 |
| clerk | clerk\/clerk-react | {"startIncluding":"5.9.0","endExcluding":"5.61.6"} | 5.61.6 |
| clerk | clerk\/expo | {"startIncluding":"3.0.0","endExcluding":"3.2.2"} | 3.2.2 |
| clerk | clerk\/express | {"startIncluding":"0.1.0","endExcluding":"1.7.79"} | 1.7.79 |
| clerk | clerk\/express | {"startIncluding":"2.0.0","endExcluding":"2.1.6"} | 2.1.6 |
| clerk | clerk\/fastify | {"startIncluding":"1.0.42","endExcluding":"2.6.31"} | 2.6.31 |
| clerk | clerk\/fastify | {"startIncluding":"3.0.0","endExcluding":"3.1.16"} | 3.1.16 |
| clerk | clerk\/hono | {"startIncluding":"0.0.2","endExcluding":"0.1.16"} | 0.1.16 |
| clerk | clerk\/nextjs | {"startIncluding":"6.0.0","endIncluding":"6.39.3"} | |
| clerk | clerk\/nextjs | {"startIncluding":"7.0.0","endExcluding":"7.2.4"} | 7.2.4 |
| clerk | clerk\/nuxt | {"startIncluding":"1.0.0","endExcluding":"1.13.29"} | 1.13.29 |
| clerk | clerk\/nuxt | {"startIncluding":"2.0.0","endExcluding":"2.2.5"} | 2.2.5 |
| clerk | clerk\/react | {"startIncluding":"6.0.0","endExcluding":"6.4.3"} | 6.4.3 |
| clerk | clerk\/react-router | {"startIncluding":"0.0.1","endExcluding":"2.4.13"} | 2.4.13 |
| clerk | clerk\/react-router | {"startIncluding":"3.0.0","endExcluding":"3.1.4"} | 3.1.4 |
| clerk | clerk\/shared | {"startIncluding":"3.0.0","endExcluding":"3.47.5"} | 3.47.5 |
| clerk | clerk\/shared | {"startIncluding":"4.0.0","endExcluding":"4.8.3"} | 4.8.3 |
| clerk | clerk\/tanstack-react-start | {"startIncluding":"0.0.1","endExcluding":"0.29.11"} | 0.29.11 |
| clerk | clerk\/tanstack-react-start | {"startIncluding":"1.0.0","endExcluding":"1.1.4"} | 1.1.4 |
| clerk | clerk\/vue | {"startIncluding":"1.0.0","endExcluding":"1.17.21"} | 1.17.21 |
| clerk | clerk\/vue | {"startIncluding":"2.0.0","endExcluding":"2.0.16"} | 2.0.16 |
References
CWEs
CWE-754 CWE-863
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.