Browse all 4 CVE security advisories affecting clerk. AI-powered Chinese analysis, POCs, and references for each vulnerability.
Clerk serves as a backend-as-a-service platform enabling developers to manage data, authentication, and business logic for web applications. Historically, this system has been susceptible to remote code execution, cross-site scripting, and privilege escalation vulnerabilities, often stemming from improper input validation and access control flaws. While no major public incidents have been widely documented, the 4 recorded CVEs highlight potential risks in its API endpoints and configuration management. Clerk's security posture relies on regular updates and proper implementation of security controls to mitigate these common vulnerability classes in developer-centric environments.
| CVE ID | Title | CVSS | Severity | Published |
|---|---|---|---|---|
| CVE-2026-41248 | Official Clerk JavaScript SDKs: Middleware-based route protection bypass — astroCWE-436 | 9.1 | Critical | 2026-04-24 |
| CVE-2026-34076 | Clerk JavaScript: SSRF in the opt-in clerkFrontendApiProxy feature may leak secret keys to unintended host — javascriptCWE-918 | 7.4 | High | 2026-04-01 |
| CVE-2025-53548 | @clerk/backend Performs Insufficient Verification of Data Authenticity — javascriptCWE-345 | 7.5 | High | 2025-07-09 |
| CVE-2024-22206 | @clerk/nextjs auth() and getAuth() methods vulnerable to insecure direct object reference (IDOR) — javascriptCWE-284 | 9.1 | Critical | 2024-01-12 |
This page lists every published CVE security advisory associated with clerk. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.