CVE-2026-42349
Description
Clerk JavaScript is the official JavaScript repository for Clerk authentication. has(), auth.protect(), and related authorization predicates in @clerk/shared, @clerk/nextjs, @clerk/backend, and other framework SDKs can return true for certain combined authorization checks when the result should be false, allowing a gated action to proceed for a user who does not satisfy the full set of requested conditions. This call shape can be bypassed if certain conditions are met: a has() or auth.protect() call that combines a reverification check with any of role, permission, feature, or plan, or that combines a billing check (feature or plan) with a role or permission check. This vulnerability is fixed in @clerk/clerk-js 5.125.10 and 6.7.5.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
@clerk/sharednpm | >= 3.0.0, < 3.47.5 | 3.47.5 |
@clerk/sharednpm | >= 4.0.0, < 4.8.3 | 4.8.3 |
@clerk/backendnpm | >= 2.0.0, < 2.33.3 | 2.33.3 |
@clerk/backendnpm | >= 3.0.0, < 3.2.14 | 3.2.14 |
@clerk/nextjsnpm | >= 6.0.0, < 6.39.3 | 6.39.3 |
@clerk/nextjsnpm | >= 7.0.0, < 7.2.4 | 7.2.4 |
@clerk/clerk-jsnpm | >= 5.22.0, < 5.125.10 | 5.125.10 |
@clerk/clerk-jsnpm | >= 6.0.0, < 6.7.5 | 6.7.5 |
@clerk/clerk-reactnpm | >= 5.9.0, < 5.61.6 | 5.61.6 |
@clerk/reactnpm | >= 6.0.0, < 6.4.3 | 6.4.3 |
@clerk/vuenpm | >= 1.0.0, < 1.17.21 | 1.17.21 |
@clerk/vuenpm | >= 2.0.0, < 2.0.16 | 2.0.16 |
@clerk/astronpm | >= 2.0.0, < 2.17.11 | 2.17.11 |
@clerk/astronpm | >= 3.0.0, < 3.0.18 | 3.0.18 |
@clerk/nuxtnpm | >= 1.0.0, < 1.13.29 | 1.13.29 |
@clerk/nuxtnpm | >= 2.0.0, < 2.2.5 | 2.2.5 |
@clerk/clerk-exponpm | >= 2.2.11, < 2.19.36 | 2.19.36 |
@clerk/exponpm | >= 3.0.0, < 3.2.2 | 3.2.2 |
@clerk/react-routernpm | >= 0.0.1, < 2.4.13 | 2.4.13 |
@clerk/react-routernpm | >= 3.0.0, < 3.1.4 | 3.1.4 |
@clerk/tanstack-react-startnpm | >= 0.0.1, < 0.29.11 | 0.29.11 |
@clerk/tanstack-react-startnpm | >= 1.0.0, < 1.1.4 | 1.1.4 |
@clerk/chrome-extensionnpm | >= 1.3.5, < 2.9.15 | 2.9.15 |
@clerk/chrome-extensionnpm | >= 3.0.0, < 3.1.15 | 3.1.15 |
@clerk/fastifynpm | >= 1.0.42, < 2.6.31 | 2.6.31 |
@clerk/fastifynpm | >= 3.0.0, < 3.1.16 | 3.1.16 |
@clerk/expressnpm | >= 0.1.0, < 1.7.79 | 1.7.79 |
@clerk/expressnpm | >= 2.0.0, < 2.1.6 | 2.1.6 |
@clerk/hononpm | >= 0.0.2, < 0.1.16 | 0.1.16 |
Affected products
18- Range: >= 0.0.2, <= 0.1.15
- ghsa-coords17 versionspkg:npm/%40clerk/astropkg:npm/%40clerk/backendpkg:npm/%40clerk/chrome-extensionpkg:npm/%40clerk/clerk-expopkg:npm/%40clerk/clerk-jspkg:npm/%40clerk/clerk-reactpkg:npm/%40clerk/expopkg:npm/%40clerk/expresspkg:npm/%40clerk/fastifypkg:npm/%40clerk/honopkg:npm/%40clerk/nextjspkg:npm/%40clerk/nuxtpkg:npm/%40clerk/reactpkg:npm/%40clerk/react-routerpkg:npm/%40clerk/sharedpkg:npm/%40clerk/tanstack-react-startpkg:npm/%40clerk/vue
>= 2.0.0, < 2.17.11+ 16 more
- (no CPE)range: >= 2.0.0, < 2.17.11
- (no CPE)range: >= 2.0.0, < 2.33.3
- (no CPE)range: >= 1.3.5, < 2.9.15
- (no CPE)range: >= 2.2.11, < 2.19.36
- (no CPE)range: >= 5.22.0, < 5.125.10
- (no CPE)range: >= 5.9.0, < 5.61.6
- (no CPE)range: >= 3.0.0, < 3.2.2
- (no CPE)range: >= 0.1.0, < 1.7.79
- (no CPE)range: >= 1.0.42, < 2.6.31
- (no CPE)range: >= 0.0.2, < 0.1.16
- (no CPE)range: >= 6.0.0, < 6.39.3
- (no CPE)range: >= 1.0.0, < 1.13.29
- (no CPE)range: >= 6.0.0, < 6.4.3
- (no CPE)range: >= 0.0.1, < 2.4.13
- (no CPE)range: >= 3.0.0, < 3.47.5
- (no CPE)range: >= 0.0.1, < 0.29.11
- (no CPE)range: >= 1.0.0, < 1.17.21
Patches
Vulnerability mechanics
References
3- github.com/advisories/GHSA-w24r-5266-9c3cghsaADVISORY
- github.com/clerk/javascript/security/advisories/GHSA-w24r-5266-9c3cnvdMitigationVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-42349ghsaADVISORY
News mentions
0No linked articles in our index yet.