CVE-2026-42349

HIGH

Clerk: Authorization bypass when combining organization, billing, or reverification checks

Title source: cna

Description

Clerk JavaScript is the official JavaScript repository for Clerk authentication. has(), auth.protect(), and related authorization predicates in @clerk/shared, @clerk/nextjs, @clerk/backend, and other framework SDKs can return true for certain combined authorization checks when the result should be false, allowing a gated action to proceed for a user who does not satisfy the full set of requested conditions. This call shape can be bypassed if certain conditions are met: a has() or auth.protect() call that combines a reverification check with any of role, permission, feature, or plan, or that combines a billing check (feature or plan) with a role or permission check. This vulnerability is fixed in @clerk/clerk-js 5.125.10 and 6.7.5.

References (1)

Core 1

Core References

X_Refsource_Confirm x_refsource_confirm

https://github.com/clerk/javascript/security/advisories/GHSA-w24r-5266-9c3c

Scores

CVSS v3 8.1

EPSS 0.0025

EPSS Percentile 15.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-754 CWE-863

Status published

Products (50)

@clerk/astro >= 2.0.0, <= 2.17.10

@clerk/astro >= 3.0.0, <= 3.0.17

@clerk/backend >= 2.0.0, <= 2.33.2

@clerk/backend >= 3.0.0, <= 3.2.13

@clerk/chrome-extension >= 1.3.5, <= 2.9.14

@clerk/chrome-extension >= 3.0.0, <= 3.1.14

@clerk/clerk-expo >= 2.2.11, <= 2.19.35

@clerk/clerk-react >= 5.9.0, <= 5.61.5

@clerk/expo >= 3.0.0, <= 3.2.1

@clerk/express >= 0.1.0, <= 1.7.78

... and 40 more

Published May 11, 2026

Tracked Since May 11, 2026