CVE-2026-42349

Published: May 11, 2026

Modified: May 14, 2026

PUBLISHED

Description

Clerk JavaScript is the official JavaScript repository for Clerk authentication. has(), auth.protect(), and related authorization predicates in @clerk/shared, @clerk/nextjs, @clerk/backend, and other framework SDKs can return true for certain combined authorization checks when the result should be false, allowing a gated action to proceed for a user who does not satisfy the full set of requested conditions. This call shape can be bypassed if certain conditions are met: a has() or auth.protect() call that combines a reverification check with any of role, permission, feature, or plan, or that combines a billing check (feature or plan) with a role or permission check. This vulnerability is fixed in @clerk/clerk-js 5.125.10 and 6.7.5.

Vendor	Product	Versions
clerk	javascript	affected `>= 5.22.0, < 5.125.10` affected `>= 6.0.0, < 6.7.5`
@clerk	shared	affected `>= 3.0.0, <= 3.47.4` affected `>= 4.0.0, <= 4.8.2`
@clerk	backend	affected `>= 2.0.0, <= 2.33.2` affected `>= 3.0.0, <= 3.2.13`
@clerk	nextjs	affected `>= 6.0.0, <= 6.39.2` affected `>= 7.0.0, <= 7.2.3`
@clerk	clerk-react	affected `>= 5.9.0, <= 5.61.5`
@clerk	react	affected `>= 6.0.0, <= 6.4.2`
@clerk	vue	affected `>= 1.0.0, <= 1.17.20` affected `>= 2.0.0, <= 2.0.15`
@clerk	astro	affected `>= 2.0.0, <= 2.17.10` affected `>= 3.0.0, <= 3.0.17`
@clerk	nuxt	affected `>= 1.0.0, <= 1.13.28` affected `>= 2.0.0, <= 2.2.4`
@clerk	clerk-expo	affected `>= 2.2.11, <= 2.19.35`
@clerk	expo	affected `>= 3.0.0, <= 3.2.1`
@clerk	react-router	affected `>= 0.0.1, <= 2.4.12` affected `>= 3.0.0, <= 3.1.3`
@clerk	tanstack-react-start	affected `>= 0.0.1, <= 0.29.10` affected `>= 1.0.0, <= 1.1.3`
@clerk	chrome-extension	affected `>= 1.3.5, <= 2.9.14` affected `>= 3.0.0, <= 3.1.14`
@clerk	fastify	affected `>= 1.0.42, <= 2.6.30` affected `>= 3.0.0, <= 3.1.15`
@clerk	express	affected `>= 0.1.0, <= 1.7.78` affected `>= 2.0.0, <= 2.1.5`
@clerk	hono	affected `>= 0.0.2, <= 0.1.15`