Clerk JavaScript is the official JavaScript repository for Clerk authentication. has(), auth.protect(), and related authorization predicates in @clerk/shared, @clerk/nextjs, @clerk/backend, and other framework SDKs can return true for certain combined authorization checks when the result should be false, allowing a gated action to proceed for a user who does not satisfy the full set of requested conditions. This call shape can be bypassed if certain conditions are met: a has() or auth.protect() call that combines a reverification check with any of role, permission, feature, or plan, or that combines a billing check (feature or plan) with a role or permission check. This vulnerability is fixed in @clerk/clerk-js 5.125.10 and 6.7.5.
Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).
| Vendor | Product | Default status | Versions | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| clerk | javascript | affected |
|
|||||||||
| @clerk | shared | affected |
|
|||||||||
| @clerk | backend | affected |
|
|||||||||
| @clerk | nextjs | affected |
|
|||||||||
| @clerk | clerk-react | affected |
|
|||||||||
| @clerk | react | affected |
|
|||||||||
| @clerk | vue | affected |
|
|||||||||
| @clerk | astro | affected |
|
|||||||||
| @clerk | nuxt | affected |
|
|||||||||
| @clerk | clerk-expo | affected |
|
|||||||||
| @clerk | expo | affected |
|
|||||||||
| @clerk | react-router | affected |
|
|||||||||
| @clerk | tanstack-react-start | affected |
|
|||||||||
| @clerk | chrome-extension | affected |
|
|||||||||
| @clerk | fastify | affected |
|
|||||||||
| @clerk | express | affected |
|
|||||||||
| @clerk | hono | affected |
|
No data.
No data.
OpenCVE Enrichment is a feature of OpenCVE that uses AI to automatically link vendors and products to CVEs. Learn more on GitHub.
| Vendors | Products |
|---|---|
|
Clerk
Subscribe
|
Astro
Subscribe
Backend
Subscribe
Chrome-extension
Subscribe
Clerk-expo
Subscribe
Clerk-react
Subscribe
Expo
Subscribe
Express
Subscribe
Fastify
Subscribe
Hono
Subscribe
Javascript
Subscribe
Nextjs
Subscribe
Nuxt
Subscribe
React
Subscribe
React-router
Subscribe
Shared
Subscribe
Tanstack-react-start
Subscribe
Vue
Subscribe
|
Project Subscriptions
| Vendors | Products |
|---|---|
|
Clerk
Subscribe
|
Astro
Subscribe
Backend
Subscribe
Chrome-extension
Subscribe
Clerk-expo
Subscribe
Clerk-react
Subscribe
Expo
Subscribe
Express
Subscribe
Fastify
Subscribe
Hono
Subscribe
Javascript
Subscribe
Nextjs
Subscribe
Nuxt
Subscribe
React
Subscribe
React-router
Subscribe
Shared
Subscribe
Tanstack-react-start
Subscribe
Vue
Subscribe
|
Advisories
| Source | ID | Title |
|---|---|---|
 Github GHSA |
GHSA-w24r-5266-9c3c | Clerk has an authorization bypass when combining organization, billing, or reverification checks |
Fixes
Solution
No solution given by the vendor.
Workaround
No workaround given by the vendor.
References
History
Tue, 12 May 2026 10:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Clerk
Clerk astro Clerk backend Clerk chrome-extension Clerk clerk-expo Clerk clerk-react Clerk expo Clerk express Clerk fastify Clerk hono Clerk javascript Clerk nextjs Clerk nuxt Clerk react Clerk react-router Clerk shared Clerk tanstack-react-start Clerk vue |
|
| Vendors & Products |
Clerk
Clerk astro Clerk backend Clerk chrome-extension Clerk clerk-expo Clerk clerk-react Clerk expo Clerk express Clerk fastify Clerk hono Clerk javascript Clerk nextjs Clerk nuxt Clerk react Clerk react-router Clerk shared Clerk tanstack-react-start Clerk vue |
Mon, 11 May 2026 16:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Clerk JavaScript is the official JavaScript repository for Clerk authentication. has(), auth.protect(), and related authorization predicates in @clerk/shared, @clerk/nextjs, @clerk/backend, and other framework SDKs can return true for certain combined authorization checks when the result should be false, allowing a gated action to proceed for a user who does not satisfy the full set of requested conditions. This call shape can be bypassed if certain conditions are met: a has() or auth.protect() call that combines a reverification check with any of role, permission, feature, or plan, or that combines a billing check (feature or plan) with a role or permission check. This vulnerability is fixed in @clerk/clerk-js 5.125.10 and 6.7.5. | |
| Title | Clerk: Authorization bypass when combining organization, billing, or reverification checks | |
| Weaknesses | CWE-754 CWE-863 |
|
| References |
| |
| Metrics |
cvssV4_0
|
Projects
Sign in to view the affected projects.
MITRE
Status: PUBLISHED
Assigner: GitHub_M
Published:
Updated: 2026-05-11T16:08:27.869Z
Reserved: 2026-04-26T13:26:14.515Z
Link: CVE-2026-42349
Vulnrichment
No data.
NVD
Status : Received
Published: 2026-05-11T17:16:33.147
Modified: 2026-05-11T17:16:33.147
Link: CVE-2026-42349
Redhat
No data.
OpenCVE Enrichment
Updated: 2026-05-12T09:22:55Z