HIGHCVE-2026-42349Published Modified CNA GitHub_M
CVE-2026-42349: Clerk: Authorization bypass when combining organization, billing, or reverification checks
Clerk JavaScript is the official JavaScript repository for Clerk authentication. has(), auth.protect(), and related authorization predicates in @clerk/shared, @clerk/nextjs, @clerk/backend, and other framework SDKs can return true for certain combined authorization checks when the result should be false, allowing a gated action to proceed for a user who does not satisfy the full set of requested conditions. This call shape can be bypassed if certain conditions are met: a has() or auth.protect() call that combines a reverification check with any of role, permission, feature, or plan, or that combines a billing check (feature or plan) with a role or permission check. This vulnerability is fixed in @clerk/clerk-js 5.125.10 and 6.7.5.
Metrics
- CVSS v4.0
- 7.6
- Severity
- HIGH
- Fixed in
- —
- Affected Products
- 17
Affected packages
- clerk / javascript>= 5.22.0, < 5.125.10 · >= 6.0.0, < 6.7.5
- @clerk / shared>= 3.0.0, <= 3.47.4 · >= 4.0.0, <= 4.8.2
- @clerk / backend>= 2.0.0, <= 2.33.2 · >= 3.0.0, <= 3.2.13
- @clerk / nextjs>= 6.0.0, <= 6.39.2 · >= 7.0.0, <= 7.2.3
- @clerk / clerk-react>= 5.9.0, <= 5.61.5
- @clerk / react>= 6.0.0, <= 6.4.2
- @clerk / vue>= 1.0.0, <= 1.17.20 · >= 2.0.0, <= 2.0.15
- @clerk / astro>= 2.0.0, <= 2.17.10 · >= 3.0.0, <= 3.0.17
- @clerk / nuxt>= 1.0.0, <= 1.13.28 · >= 2.0.0, <= 2.2.4
- @clerk / clerk-expo>= 2.2.11, <= 2.19.35
- @clerk / expo>= 3.0.0, <= 3.2.1
- @clerk / react-router>= 0.0.1, <= 2.4.12 · >= 3.0.0, <= 3.1.3
- @clerk / tanstack-react-start>= 0.0.1, <= 0.29.10 · >= 1.0.0, <= 1.1.3
- @clerk / chrome-extension>= 1.3.5, <= 2.9.14 · >= 3.0.0, <= 3.1.14
- @clerk / fastify>= 1.0.42, <= 2.6.30 · >= 3.0.0, <= 3.1.15
- @clerk / express>= 0.1.0, <= 1.7.78 · >= 2.0.0, <= 2.1.5
- @clerk / hono>= 0.0.2, <= 0.1.15
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N