High severity7.4NVD Advisory· Published Apr 1, 2026· Updated Apr 29, 2026

CVE-2026-34076

Description

Clerk JavaScript is the official JavaScript repository for Clerk authentication. In @clerk/hono from versions 0.1.0 to before 0.1.5, @clerk/express from versions 2.0.0 to before 2.0.7, @clerk/backend from versions 3.0.0 to before 3.2.3, and @clerk/fastify from versions 3.1.0 to before 3.1.5, the clerkFrontendApiProxy function in @clerk/backend is vulnerable to Server-Side Request Forgery (SSRF). An unauthenticated attacker can craft a request path that causes the proxy to send the application's Clerk-Secret-Key to an attacker-controlled server. This issue has been patched in @clerk/hono version 0.1.5, @clerk/express version 2.0.7, @clerk/backend version 3.2.3, and @clerk/fastify version 3.1.5.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
@clerk/backendnpm	>= 3.0.0, < 3.2.3	3.2.3
@clerk/expressnpm	>= 2.0.0, < 2.0.7	2.0.7
@clerk/hononpm	>= 0.1.0, < 0.1.5	0.1.5
@clerk/fastifynpm	>= 3.1.0, < 3.1.5	3.1.5

Affected products

@clerk/@Clerk/Fastifyinferred
Range: >=3.1.0,<3.1.5
Package: https://npmjs.com/package/@clerk/fastify

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-gjxx-92w9-8v8fghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2026-34076ghsaADVISORY
github.com/clerk/javascript/security/advisories/GHSA-gjxx-92w9-8v8fnvdWEB

News mentions

No linked articles in our index yet.

cvss	0.481
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000