CVE-2026-42349

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2026-42349
Clerk JavaScript is the official JavaScript repository for Clerk authentication. has(), auth.protect(), and related authorization predicates in @clerk/shared, @clerk/nextjs, @clerk/backend, and other framework SDKs can return true for certain combined authorization checks when the result should be false, allowing a gated action to proceed for a user who does not satisfy the full set of requested conditions. This call shape can be bypassed if certain conditions are met: a has() or auth.protect() call that combines a reverification check with any of role, permission, feature, or plan, or that combines a billing check (feature or plan) with a role or permission check. This vulnerability is fixed in @clerk/clerk-js 5.125.10 and 6.7.5.

8.1 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://github.com/clerk/javascript/security/advisories/GHSA-w24r-5266-9c3c Mitigation Vendor Advisory
https://github.com/clerk/javascript/security/advisories/GHSA-w24r-5266-9c3c Mitigation Vendor Advisory
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:clerk:clerk\/astro:*:*:*:*:*:node.js:*:*
cpe:2.3:a:clerk:clerk\/astro:*:*:*:*:*:node.js:*:*
cpe:2.3:a:clerk:clerk\/backend:*:*:*:*:*:node.js:*:*
cpe:2.3:a:clerk:clerk\/backend:*:*:*:*:*:node.js:*:*
cpe:2.3:a:clerk:clerk\/chrome-extension:*:*:*:*:*:node.js:*:*
cpe:2.3:a:clerk:clerk\/chrome-extension:*:*:*:*:*:node.js:*:*
cpe:2.3:a:clerk:clerk\/clerk-expo:*:*:*:*:*:node.js:*:*
cpe:2.3:a:clerk:clerk\/clerk-js:*:*:*:*:*:node.js:*:*
cpe:2.3:a:clerk:clerk\/clerk-js:*:*:*:*:*:node.js:*:*
cpe:2.3:a:clerk:clerk\/clerk-react:*:*:*:*:*:node.js:*:*
cpe:2.3:a:clerk:clerk\/expo:*:*:*:*:*:node.js:*:*
cpe:2.3:a:clerk:clerk\/express:*:*:*:*:*:node.js:*:*
cpe:2.3:a:clerk:clerk\/express:*:*:*:*:*:node.js:*:*
cpe:2.3:a:clerk:clerk\/fastify:*:*:*:*:*:node.js:*:*
cpe:2.3:a:clerk:clerk\/fastify:*:*:*:*:*:node.js:*:*
cpe:2.3:a:clerk:clerk\/hono:*:*:*:*:*:node.js:*:*
cpe:2.3:a:clerk:clerk\/nextjs:*:*:*:*:*:node.js:*:*
cpe:2.3:a:clerk:clerk\/nextjs:*:*:*:*:*:node.js:*:*
cpe:2.3:a:clerk:clerk\/nuxt:*:*:*:*:*:node.js:*:*
cpe:2.3:a:clerk:clerk\/nuxt:*:*:*:*:*:node.js:*:*
cpe:2.3:a:clerk:clerk\/react:*:*:*:*:*:node.js:*:*
cpe:2.3:a:clerk:clerk\/react-router:*:*:*:*:*:node.js:*:*
cpe:2.3:a:clerk:clerk\/react-router:*:*:*:*:*:node.js:*:*
cpe:2.3:a:clerk:clerk\/shared:*:*:*:*:*:node.js:*:*
cpe:2.3:a:clerk:clerk\/shared:*:*:*:*:*:node.js:*:*
cpe:2.3:a:clerk:clerk\/tanstack-react-start:*:*:*:*:*:node.js:*:*
cpe:2.3:a:clerk:clerk\/tanstack-react-start:*:*:*:*:*:node.js:*:*
cpe:2.3:a:clerk:clerk\/vue:*:*:*:*:*:node.js:*:*
cpe:2.3:a:clerk:clerk\/vue:*:*:*:*:*:node.js:*:*
History

01 Jun 2026, 16:33

Type Values Removed Values Added
References () https://github.com/clerk/javascript/security/advisories/GHSA-w24r-5266-9c3c - () https://github.com/clerk/javascript/security/advisories/GHSA-w24r-5266-9c3c - Mitigation, Vendor Advisory
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 8.1
First Time Clerk clerk\/clerk-js
Clerk clerk\/tanstack-react-start
Clerk clerk\/chrome-extension
Clerk clerk\/nuxt
Clerk clerk\/fastify
Clerk clerk\/backend
Clerk clerk\/react
Clerk
Clerk clerk\/hono
Clerk clerk\/shared
Clerk clerk\/vue
Clerk clerk\/express
Clerk clerk\/expo
Clerk clerk\/nextjs
Clerk clerk\/clerk-react
Clerk clerk\/react-router
Clerk clerk\/astro
Clerk clerk\/clerk-expo
CPE cpe:2.3:a:clerk:clerk\/expo:*:*:*:*:*:node.js:*:*
cpe:2.3:a:clerk:clerk\/clerk-react:*:*:*:*:*:node.js:*:*
cpe:2.3:a:clerk:clerk\/vue:*:*:*:*:*:node.js:*:*
cpe:2.3:a:clerk:clerk\/nextjs:*:*:*:*:*:node.js:*:*
cpe:2.3:a:clerk:clerk\/clerk-expo:*:*:*:*:*:node.js:*:*
cpe:2.3:a:clerk:clerk\/tanstack-react-start:*:*:*:*:*:node.js:*:*
cpe:2.3:a:clerk:clerk\/fastify:*:*:*:*:*:node.js:*:*
cpe:2.3:a:clerk:clerk\/shared:*:*:*:*:*:node.js:*:*
cpe:2.3:a:clerk:clerk\/hono:*:*:*:*:*:node.js:*:*
cpe:2.3:a:clerk:clerk\/chrome-extension:*:*:*:*:*:node.js:*:*
cpe:2.3:a:clerk:clerk\/backend:*:*:*:*:*:node.js:*:*
cpe:2.3:a:clerk:clerk\/clerk-js:*:*:*:*:*:node.js:*:*
cpe:2.3:a:clerk:clerk\/nuxt:*:*:*:*:*:node.js:*:*
cpe:2.3:a:clerk:clerk\/react:*:*:*:*:*:node.js:*:*
cpe:2.3:a:clerk:clerk\/react-router:*:*:*:*:*:node.js:*:*
cpe:2.3:a:clerk:clerk\/express:*:*:*:*:*:node.js:*:*
cpe:2.3:a:clerk:clerk\/astro:*:*:*:*:*:node.js:*:*

14 May 2026, 19:16

Type Values Removed Values Added
References () https://github.com/clerk/javascript/security/advisories/GHSA-w24r-5266-9c3c - () https://github.com/clerk/javascript/security/advisories/GHSA-w24r-5266-9c3c -

11 May 2026, 17:16

Type Values Removed Values Added
New CVE
Information

Published : 2026-05-11 17:16

Updated : 2026-06-01 16:33

NVD link : CVE-2026-42349

Mitre link : CVE-2026-42349

CVE.ORG link : CVE-2026-42349

JSON object : View

Products Affected

clerk

  • clerk\/astro
  • clerk\/react-router
  • clerk\/nuxt
  • clerk\/expo
  • clerk\/express
  • clerk\/backend
  • clerk\/hono
  • clerk\/chrome-extension
  • clerk\/nextjs
  • clerk\/react
  • clerk\/clerk-js
  • clerk\/shared
  • clerk\/tanstack-react-start
  • clerk\/clerk-react
  • clerk\/fastify
  • clerk\/clerk-expo
  • clerk\/vue
CWE
CWE-754

Improper Check for Unusual or Exceptional Conditions

CWE-863

Incorrect Authorization