VYPR
High severity8.1GHSA Advisory· Published May 11, 2026· Updated Jun 1, 2026

CVE-2026-42349

CVE-2026-42349

Description

Clerk JavaScript is the official JavaScript repository for Clerk authentication. has(), auth.protect(), and related authorization predicates in @clerk/shared, @clerk/nextjs, @clerk/backend, and other framework SDKs can return true for certain combined authorization checks when the result should be false, allowing a gated action to proceed for a user who does not satisfy the full set of requested conditions. This call shape can be bypassed if certain conditions are met: a has() or auth.protect() call that combines a reverification check with any of role, permission, feature, or plan, or that combines a billing check (feature or plan) with a role or permission check. This vulnerability is fixed in @clerk/clerk-js 5.125.10 and 6.7.5.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
@clerk/sharednpm
>= 3.0.0, < 3.47.53.47.5
@clerk/sharednpm
>= 4.0.0, < 4.8.34.8.3
@clerk/backendnpm
>= 2.0.0, < 2.33.32.33.3
@clerk/backendnpm
>= 3.0.0, < 3.2.143.2.14
@clerk/nextjsnpm
>= 6.0.0, < 6.39.36.39.3
@clerk/nextjsnpm
>= 7.0.0, < 7.2.47.2.4
@clerk/clerk-jsnpm
>= 5.22.0, < 5.125.105.125.10
@clerk/clerk-jsnpm
>= 6.0.0, < 6.7.56.7.5
@clerk/clerk-reactnpm
>= 5.9.0, < 5.61.65.61.6
@clerk/reactnpm
>= 6.0.0, < 6.4.36.4.3
@clerk/vuenpm
>= 1.0.0, < 1.17.211.17.21
@clerk/vuenpm
>= 2.0.0, < 2.0.162.0.16
@clerk/astronpm
>= 2.0.0, < 2.17.112.17.11
@clerk/astronpm
>= 3.0.0, < 3.0.183.0.18
@clerk/nuxtnpm
>= 1.0.0, < 1.13.291.13.29
@clerk/nuxtnpm
>= 2.0.0, < 2.2.52.2.5
@clerk/clerk-exponpm
>= 2.2.11, < 2.19.362.19.36
@clerk/exponpm
>= 3.0.0, < 3.2.23.2.2
@clerk/react-routernpm
>= 0.0.1, < 2.4.132.4.13
@clerk/react-routernpm
>= 3.0.0, < 3.1.43.1.4
@clerk/tanstack-react-startnpm
>= 0.0.1, < 0.29.110.29.11
@clerk/tanstack-react-startnpm
>= 1.0.0, < 1.1.41.1.4
@clerk/chrome-extensionnpm
>= 1.3.5, < 2.9.152.9.15
@clerk/chrome-extensionnpm
>= 3.0.0, < 3.1.153.1.15
@clerk/fastifynpm
>= 1.0.42, < 2.6.312.6.31
@clerk/fastifynpm
>= 3.0.0, < 3.1.163.1.16
@clerk/expressnpm
>= 0.1.0, < 1.7.791.7.79
@clerk/expressnpm
>= 2.0.0, < 2.1.62.1.6
@clerk/hononpm
>= 0.0.2, < 0.1.160.1.16

Affected products

18

Patches

Vulnerability mechanics

References

3

News mentions

0

No linked articles in our index yet.