CVE-2026-42349

Name: CVE-2026-42349
Creator: NVD / NIST
Published: 2026-05-11T17:16:33.147+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

HIGHCVSS 7.6/10EPSS 0.25%

Last modified Jun 17, 2026

CVE-2026-42349 is a high-severity vulnerability rated 7.6/10 on the CVSS scale. Clerk JavaScript is the official JavaScript repository for Clerk authentication. has(), auth.protect(), and related authorization predicates in @clerk/shared, @clerk/nextjs, @clerk/backend, and other framework SDKs can return true for certain combined authorization checks when the result should be false, allowing a gated action to proceed for a user who does not satisfy the full set of requested conditions. EPSS estimates a 0.25% chance of exploitation in the next 30 days.

Description

Clerk JavaScript is the official JavaScript repository for Clerk authentication. has(), auth.protect(), and related authorization predicates in @clerk/shared, @clerk/nextjs, @clerk/backend, and other framework SDKs can return true for certain combined authorization checks when the result should be false, allowing a gated action to proceed for a user who does not satisfy the full set of requested conditions. This call shape can be bypassed if certain conditions are met: a has() or auth.protect() call that combines a reverification check with any of role, permission, feature, or plan, or that combines a billing check (feature or plan) with a role or permission check. This vulnerability is fixed in @clerk/clerk-js 5.125.10 and 6.7.5.

Metrics

CVSS 3.1

8.1/10

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CVSS 4.0

7.6/10

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

EPSS Probability

0.25%

15.7th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

Vendor	Product	Versions
Clerk	Clerk\/Astro	>= 2.0.0, < 2.17.11
Clerk	Clerk\/Astro	>= 3.0.0, < 3.0.18
Clerk	Clerk\/Backend	>= 2.0.0, < 2.33.3
Clerk	Clerk\/Backend	>= 3.0.0, < 3.2.14
Clerk	Clerk\/Chrome-Extension	>= 1.3.5, < 2.9.15
Clerk	Clerk\/Chrome-Extension	>= 3.0.0, < 3.1.15
Clerk	Clerk\/Clerk-Expo	>= 2.2.11, < 2.19.36
Clerk	Clerk\/Clerk-Js	>= 5.22.0, < 5.125.10
Clerk	Clerk\/Clerk-Js	>= 6.0.0, < 6.7.5
Clerk	Clerk\/Clerk-React	>= 5.9.0, < 5.61.6
Clerk	Clerk\/Expo	>= 3.0.0, < 3.2.2
Clerk	Clerk\/Express	>= 0.1.0, < 1.7.79
Clerk	Clerk\/Express	>= 2.0.0, < 2.1.6
Clerk	Clerk\/Fastify	>= 1.0.42, < 2.6.31
Clerk	Clerk\/Fastify	>= 3.0.0, < 3.1.16
Clerk	Clerk\/Hono	>= 0.0.2, < 0.1.16
Clerk	Clerk\/Nextjs	>= 6.0.0, <= 6.39.3
Clerk	Clerk\/Nextjs	>= 7.0.0, < 7.2.4
Clerk	Clerk\/Nuxt	>= 1.0.0, < 1.13.29
Clerk	Clerk\/Nuxt	>= 2.0.0, < 2.2.5
Clerk	Clerk\/React	>= 6.0.0, < 6.4.3
Clerk	Clerk\/React-Router	>= 0.0.1, < 2.4.13
Clerk	Clerk\/React-Router	>= 3.0.0, < 3.1.4
Clerk	Clerk\/Shared	>= 3.0.0, < 3.47.5
Clerk	Clerk\/Shared	>= 4.0.0, < 4.8.3
Clerk	Clerk\/Tanstack-React-Start	>= 0.0.1, < 0.29.11
Clerk	Clerk\/Tanstack-React-Start	>= 1.0.0, < 1.1.4
Clerk	Clerk\/Vue	>= 1.0.0, < 1.17.21
Clerk	Clerk\/Vue	>= 2.0.0, < 2.0.16

References

https://github.com/clerk/javascript/security/advisories/GHSA-w24r-5266-9c3cMitigation, Vendor Advisory
https://github.com/clerk/javascript/security/advisories/GHSA-w24r-5266-9c3cMitigation, Vendor Advisory

Timeline

Published: May 11, 2026
Last Modified: Jun 17, 2026
Status: Analyzed

Frequently Asked Questions

What is CVE-2026-42349?

How severe is CVE-2026-42349?

CVE-2026-42349 has a CVSS score of 7.6/10 (HIGH severity). The EPSS model estimates a 0.25% probability of exploitation in the next 30 days.

How do I fix CVE-2026-42349?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2026-42349?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST