216.73.217.22

CVE-2026-42349

· Published 11/05/2026 17:16 · Modified 11/05/2026 17:16

Labels: CVE-2026-42349 2026-05-11CVE-2026-42349CWE-754[email protected]

Essential information

Published
11/05/2026 17:16
Modified
11/05/2026 17:16
Author
Creator
CVSS
7.6 HIGH (v3) 7.6 HIGH (v4.0)
CISA KEV
No
CWE
CVSS vector

CVSS metrics

Description

Clerk JavaScript is the official JavaScript repository for Clerk authentication. has(), auth.protect(), and related authorization predicates in @clerk/shared, @clerk/nextjs, @clerk/backend, and other framework SDKs can return true for certain combined authorization checks when the result should be false, allowing a gated action to proceed for a user who does not satisfy the full set of requested conditions. This call shape can be bypassed if certain conditions are met: a has() or auth.protect() call that combines a reverification check with any of role, permission, feature, or plan, or that combines a billing check (feature or plan) with a role or permission check. This vulnerability is fixed in @clerk/clerk-js 5.125.10 and 6.7.5.

NVD status

Status
Received — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
clerk / clerk-js cpe:2.3:a:clerk:clerk-js:5.125.10:*:*:*:*:*:*:*
clerk / clerk-js cpe:2.3:a:clerk:clerk-js:6.7.5:*:*:*:*:*:*:*

References