High severity7.6GHSA Advisory· Published May 11, 2026· Updated May 14, 2026
CVE-2026-42349
CVE-2026-42349
Description
Clerk JavaScript is the official JavaScript repository for Clerk authentication. has(), auth.protect(), and related authorization predicates in @clerk/shared, @clerk/nextjs, @clerk/backend, and other framework SDKs can return true for certain combined authorization checks when the result should be false, allowing a gated action to proceed for a user who does not satisfy the full set of requested conditions. This call shape can be bypassed if certain conditions are met: a has() or auth.protect() call that combines a reverification check with any of role, permission, feature, or plan, or that combines a billing check (feature or plan) with a role or permission check. This vulnerability is fixed in @clerk/clerk-js 5.125.10 and 6.7.5.
Affected products
1- Range: >= 0.0.2, <= 0.1.15
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3News mentions
50- Funnel Builder Flaw Under Active Exploitation Enables WooCommerce Checkout SkimmingThe Hacker News · May 16, 2026
- Funnel Builder WordPress plugin bug exploited to steal credit cardsBleepingComputer · May 15, 2026
- Microsoft backpedals: Edge to stop loading passwords into memoryBleepingComputer · May 15, 2026
- Microsoft Warns of Exchange Server Zero-Day Exploited in the WildSecurityWeek · May 15, 2026
- Unpatched Microsoft Exchange Server vulnerability exploited (CVE-2026-42897)Help Net Security · May 15, 2026
- Microsoft warns of Exchange zero-day flaw exploited in attacksBleepingComputer · May 15, 2026
- Chrome 148 Update Patches Critical VulnerabilitiesSecurityWeek · May 15, 2026
- On-Prem Microsoft Exchange Server CVE-2026-42897 Exploited via Crafted EmailThe Hacker News · May 15, 2026
- 'FrostyNeighbor' APT Carefully Targets Govt Orgs in Poland, UkraineDark Reading · May 14, 2026
- Ghostwriter Targets Ukrainian Government With Geofenced PDF Phishing, Cobalt StrikeThe Hacker News · May 14, 2026
- FrostyNeighbor: Fresh mischief and digital shenanigansESET WeLiveSecurity · May 14, 2026
- Mini Shai-Hulud Worm Compromises TanStack, Mistral AI, Guardrails AI & More PackagesThe Hacker News · May 12, 2026
- Worm Redux: Fresh Mini Shai-Hulud Infections Bite Supply ChainDark Reading · May 12, 2026
- TanStack, Mistral AI, UiPath Hit in Fresh Supply Chain AttackSecurityWeek · May 12, 2026
- Instructure reaches 'agreement' with ShinyHunters to stop data leakBleepingComputer · May 12, 2026
- cPanel CVE-2026-41940 Under Active Exploitation to Deploy Filemanager BackdoorThe Hacker News · May 11, 2026
- Instructure confirms hackers used Canvas flaw to deface portalsBleepingComputer · May 11, 2026
- Why we use CAPTCHAs, (Mon, May 11th)SANS Internet Storm Center · May 11, 2026
- ⚡ Weekly Recap: Linux Rootkit, macOS Crypto Stealer, WebSocket Skimmers and MoreThe Hacker News · May 11, 2026
- Cyber Espionage Group Targets Aviation Firms to Steal Map DataDark Reading · May 11, 2026
- Fake OpenAI Privacy Filter Repo Hits #1 on Hugging Face, Draws 244K DownloadsThe Hacker News · May 11, 2026
- A week in security (May 4 – May 10)Malwarebytes Labs · May 11, 2026
- Week in review: cPanel vulnerability actively exploited, DigiCert breach, LinkedIn job scamsHelp Net Security · May 10, 2026
- Australian Cyber Security Centre Issues Alert Over ClickFix AttacksInfosecurity Magazine · May 8, 2026
- Vulnerability in Claude Extension for Chrome Exposes AI Agent to TakeoverSecurityWeek · May 8, 2026
- Cline Kanban Flaw Lets Websites Hijack AI Coding AgentsInfosecurity Magazine · May 7, 2026
- vm2 Node.js Library Vulnerabilities Enable Sandbox Escape and Arbitrary Code ExecutionThe Hacker News · May 7, 2026
- Critical vm2 sandbox bug lets attackers execute code on hostsBleepingComputer · May 6, 2026
- Attackers adopt JavaScript runtime Bun to spread NWHStealerMalwarebytes Labs · May 6, 2026
- Websites with an undefined trust level: avoiding the trapSecurelist · May 6, 2026
- Backdoored PyTorch Lightning package drops credential stealerBleepingComputer · May 4, 2026
- ⚡ Weekly Recap: AI-Powered Phishing, Android Spying Tool, Linux Exploit, GitHub RCE & MoreThe Hacker News · May 4, 2026
- Silver Fox Deploys ABCDoor Malware via Tax-Themed Phishing in India and RussiaThe Hacker News · May 4, 2026
- The npm Threat Landscape: Attack Surface and Mitigations (Updated May 1)Unit 42 · May 2, 2026
- A Ransomware Negotiator Was Working for a Ransomware GangSchneier on Security · May 1, 2026
- The never-ending supply chain attacks worm into SAP npm packages, other dev toolsThe Register Security · Apr 30, 2026
- The never-ending supply chain attacks worm into SAP npm packages, other dev toolsThe Register Security · Apr 30, 2026
- That AI Extension Helping You Write Emails? It’s Reading Them FirstUnit 42 · Apr 30, 2026
- TeamPCP Hits SAP Packages With 'Mini Shai-Hulud' AttackDark Reading · Apr 30, 2026
- PyTorch Lightning and Intercom-client Hit in Supply Chain Attacks to Steal CredentialsThe Hacker News · Apr 30, 2026
- What Happens in the First 24 Hours After a New Asset Goes LiveBleepingComputer · Apr 30, 2026
- EtherRAT Distribution Spoofing Administrative Tools via GitHub FacadesThe Hacker News · Apr 30, 2026
- Silver Fox uses the new ABCDoor backdoor to target organizations in Russia and IndiaSecurelist · Apr 30, 2026
- SAP-Related npm Packages Compromised in Credential-Stealing Supply Chain AttackThe Hacker News · Apr 29, 2026
- New Wave of DPRK Attacks Uses AI-Inserted npm Malware, Fake Firms, and RATsThe Hacker News · Apr 29, 2026
- Malicious npm Dependency Linked to AI Assisted Commit Targets Crypto WalletsInfosecurity Magazine · Apr 29, 2026
- Brazilian LofyGang Resurfaces After Three Years With Minecraft LofyStealer CampaignThe Hacker News · Apr 28, 2026
- Fake CAPTCHA scam turns a quick click into a costly phone billMalwarebytes Labs · Apr 28, 2026
- ZDI-26-305: (0Day) OpenAI Codex Sandbox Escape VulnerabilityZero Day Initiative · Apr 28, 2026
- Researchers Uncover 73 Fake VS Code Extensions Delivering GlassWorm v2 MalwareThe Hacker News · Apr 27, 2026