8.1
CVE-2026-42349
- EPSS 0.25%
- Veröffentlicht 11.05.2026 17:16:33
- Zuletzt bearbeitet 01.06.2026 16:33:43
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
Clerk: Authorization bypass when combining organization, billing, or reverification checks
Clerk JavaScript is the official JavaScript repository for Clerk authentication. has(), auth.protect(), and related authorization predicates in @clerk/shared, @clerk/nextjs, @clerk/backend, and other framework SDKs can return true for certain combined authorization checks when the result should be false, allowing a gated action to proceed for a user who does not satisfy the full set of requested conditions. This call shape can be bypassed if certain conditions are met: a has() or auth.protect() call that combines a reverification check with any of role, permission, feature, or plan, or that combines a billing check (feature or plan) with a role or permission check. This vulnerability is fixed in @clerk/clerk-js 5.125.10 and 6.7.5.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Clerk ≫ Clerk/astro SwPlatformnode.js Version >= 2.0.0 < 2.17.11
Clerk ≫ Clerk/astro SwPlatformnode.js Version >= 3.0.0 < 3.0.18
Clerk ≫ Clerk/backend SwPlatformnode.js Version >= 2.0.0 < 2.33.3
Clerk ≫ Clerk/backend SwPlatformnode.js Version >= 3.0.0 < 3.2.14
Clerk ≫ Clerk/chrome-extension SwPlatformnode.js Version >= 1.3.5 < 2.9.15
Clerk ≫ Clerk/chrome-extension SwPlatformnode.js Version >= 3.0.0 < 3.1.15
Clerk ≫ Clerk/clerk-expo SwPlatformnode.js Version >= 2.2.11 < 2.19.36
Clerk ≫ Clerk/clerk-js SwPlatformnode.js Version >= 5.22.0 < 5.125.10
Clerk ≫ Clerk/clerk-js SwPlatformnode.js Version >= 6.0.0 < 6.7.5
Clerk ≫ Clerk/clerk-react SwPlatformnode.js Version >= 5.9.0 < 5.61.6
Clerk ≫ Clerk/expo SwPlatformnode.js Version >= 3.0.0 < 3.2.2
Clerk ≫ Clerk/express SwPlatformnode.js Version >= 0.1.0 < 1.7.79
Clerk ≫ Clerk/express SwPlatformnode.js Version >= 2.0.0 < 2.1.6
Clerk ≫ Clerk/fastify SwPlatformnode.js Version >= 1.0.42 < 2.6.31
Clerk ≫ Clerk/fastify SwPlatformnode.js Version >= 3.0.0 < 3.1.16
Clerk ≫ Clerk/hono SwPlatformnode.js Version >= 0.0.2 < 0.1.16
Clerk ≫ Clerk/nextjs SwPlatformnode.js Version >= 6.0.0 <= 6.39.3
Clerk ≫ Clerk/nextjs SwPlatformnode.js Version >= 7.0.0 < 7.2.4
Clerk ≫ Clerk/nuxt SwPlatformnode.js Version >= 1.0.0 < 1.13.29
Clerk ≫ Clerk/nuxt SwPlatformnode.js Version >= 2.0.0 < 2.2.5
Clerk ≫ Clerk/react SwPlatformnode.js Version >= 6.0.0 < 6.4.3
Clerk ≫ Clerk/react-router SwPlatformnode.js Version >= 0.0.1 < 2.4.13
Clerk ≫ Clerk/react-router SwPlatformnode.js Version >= 3.0.0 < 3.1.4
Clerk ≫ Clerk/shared SwPlatformnode.js Version >= 3.0.0 < 3.47.5
Clerk ≫ Clerk/shared SwPlatformnode.js Version >= 4.0.0 < 4.8.3
Clerk ≫ Clerk/tanstack-react-start SwPlatformnode.js Version >= 0.0.1 < 0.29.11
Clerk ≫ Clerk/tanstack-react-start SwPlatformnode.js Version >= 1.0.0 < 1.1.4
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. 
Login
Login| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.25% | 0.155 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 8.1 | 2.8 | 5.2 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
|
| security-advisories@github.com | 7.6 | 0 | 0 |
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
|
CWE-754 Improper Check for Unusual or Exceptional Conditions
The product does not check or incorrectly checks for unusual or exceptional conditions that are not expected to occur frequently during day to day operation of the product.
CWE-863 Incorrect Authorization
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
https://github.com/clerk/javascript/security/advisories/GHSA-w24r-5266-9c3c