CVE-2026-42349— Clerk: Authorization bypass when combining organization, billing, or reverification checks
Possible ATT&CK Techniques 1AI
T1528 · Steal Application Access TokenAffected Version Matrix 29
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| @clerk | astro | >= 2.0.0, <= 2.17.10 | affected |
>= 3.0.0, <= 3.0.17 | affected | ||
| @clerk | backend | >= 2.0.0, <= 2.33.2 | affected |
>= 3.0.0, <= 3.2.13 | affected | ||
| @clerk | chrome-extension | >= 1.3.5, <= 2.9.14 | affected |
>= 3.0.0, <= 3.1.14 | affected | ||
| @clerk | clerk-expo | >= 2.2.11, <= 2.19.35 | affected |
| @clerk | clerk-react | >= 5.9.0, <= 5.61.5 | affected |
| @clerk | expo | >= 3.0.0, <= 3.2.1 | affected |
| @clerk | express | >= 0.1.0, <= 1.7.78 | affected |
>= 2.0.0, <= 2.1.5 | affected | ||
| @clerk | fastify | >= 1.0.42, <= 2.6.30 | affected |
>= 3.0.0, <= 3.1.15 | affected | ||
| @clerk | hono | >= 0.0.2, <= 0.1.15 | affected |
| @clerk | nextjs | >= 6.0.0, <= 6.39.2 | affected |
>= 7.0.0, <= 7.2.3 | affected | ||
| @clerk | nuxt | >= 1.0.0, <= 1.13.28 | affected |
>= 2.0.0, <= 2.2.4 | affected | ||
| @clerk | react | >= 6.0.0, <= 6.4.2 | affected |
| @clerk | react-router | >= 0.0.1, <= 2.4.12 | affected |
>= 3.0.0, <= 3.1.3 | affected | ||
| @clerk | shared | >= 3.0.0, <= 3.47.4 | affected |
>= 4.0.0, <= 4.8.2 | affected | ||
| @clerk | tanstack-react-start | >= 0.0.1, <= 0.29.10 | affected |
>= 1.0.0, <= 1.1.3 | affected | ||
| @clerk | vue | >= 1.0.0, <= 1.17.20 | affected |
>= 2.0.0, <= 2.0.15 | affected | ||
| clerk | javascript | >= 5.22.0, < 5.125.10 | affected |
>= 6.0.0, < 6.7.5 | affected |
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-42349
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Clerk: Authorization bypass when combining organization, billing, or reverification checks
Source: NVD (National Vulnerability Database)
Vulnerability Description
Clerk JavaScript is the official JavaScript repository for Clerk authentication. has(), auth.protect(), and related authorization predicates in @clerk/shared, @clerk/nextjs, @clerk/backend, and other framework SDKs can return true for certain combined authorization checks when the result should be false, allowing a gated action to proceed for a user who does not satisfy the full set of requested conditions. This call shape can be bypassed if certain conditions are met: a has() or auth.protect() call that combines a reverification check with any of role, permission, feature, or plan, or that combines a billing check (feature or plan) with a role or permission check. This vulnerability is fixed in @clerk/clerk-js 5.125.10 and 6.7.5.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
对因果或异常条件的不恰当检查
Source: NVD (National Vulnerability Database)
Vulnerability Title
Official Clerk JavaScript SDKs 代码问题漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Official Clerk JavaScript SDKs是Clerk开源的一个用于 Clerk 身份验证的官方 Javascript 存储库。 Official Clerk JavaScript SDKs存在代码问题漏洞,该漏洞源于has()、auth.protect()及相关授权谓词在特定组合授权检查中可能返回true,可能导致不满足全部条件的用户绕过授权检查执行受限操作。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| clerk | javascript | >= 5.22.0, < 5.125.10 | - | |
| @clerk | shared | >= 3.0.0, <= 3.47.4 | - | |
| @clerk | backend | >= 2.0.0, <= 2.33.2 | - | |
| @clerk | nextjs | >= 6.0.0, <= 6.39.2 | - | |
| @clerk | clerk-react | >= 5.9.0, <= 5.61.5 | - | |
| @clerk | react | >= 6.0.0, <= 6.4.2 | - | |
| @clerk | vue | >= 1.0.0, <= 1.17.20 | - | |
| @clerk | astro | >= 2.0.0, <= 2.17.10 | - | |
| @clerk | nuxt | >= 1.0.0, <= 1.13.28 | - | |
| @clerk | clerk-expo | >= 2.2.11, <= 2.19.35 | - | |
| @clerk | expo | >= 3.0.0, <= 3.2.1 | - | |
| @clerk | react-router | >= 0.0.1, <= 2.4.12 | - | |
| @clerk | tanstack-react-start | >= 0.0.1, <= 0.29.10 | - | |
| @clerk | chrome-extension | >= 1.3.5, <= 2.9.14 | - | |
| @clerk | fastify | >= 1.0.42, <= 2.6.30 | - | |
| @clerk | express | >= 0.1.0, <= 1.7.78 | - | |
| @clerk | hono | >= 0.0.2, <= 0.1.15 | - |
II. Public POCs for CVE-2026-42349
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-42349
请登录查看更多情报信息。
- https://github.com/clerk/javascript/security/advisories/GHSA-w24r-5266-9c3cx_refsource_CONFIRM
- https://nvd.nist.gov/vuln/detail/CVE-2026-42349
IV. Related Vulnerabilities
Same vendor: clerk
Same weakness: CWE-754
- CVE-2026-4054
SVG content served through Mattermost image proxy despite Co - CVE-2026-0241
Trust Protection Foundation: Multiple Authorization Bypass V - CVE-2026-0235
Prisma Browser: Access and Data Rule Bypass - CVE-2026-0262
PAN-OS: Denial of Service Vulnerabilities in Network Traffic - CVE-2026-42950
ELECOM WAB 代码问题漏洞
V. Comments for CVE-2026-42349
No comments yet