Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2026-42349

Summary
Assigner-GitHub_M
Assigner Org ID-a0819718-46f1-4df5-94e2-005712e83aaa
Published At-11 May, 2026 | 16:08
Updated At-11 May, 2026 | 16:08
Rejected At-
Credits

Clerk: Authorization bypass when combining organization, billing, or reverification checks

Clerk JavaScript is the official JavaScript repository for Clerk authentication. has(), auth.protect(), and related authorization predicates in @clerk/shared, @clerk/nextjs, @clerk/backend, and other framework SDKs can return true for certain combined authorization checks when the result should be false, allowing a gated action to proceed for a user who does not satisfy the full set of requested conditions. This call shape can be bypassed if certain conditions are met: a has() or auth.protect() call that combines a reverification check with any of role, permission, feature, or plan, or that combines a billing check (feature or plan) with a role or permission check. This vulnerability is fixed in @clerk/clerk-js 5.125.10 and 6.7.5.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:GitHub_M
Assigner Org ID:a0819718-46f1-4df5-94e2-005712e83aaa
Published At:11 May, 2026 | 16:08
Updated At:11 May, 2026 | 16:08
Rejected At:
▼CVE Numbering Authority (CNA)
Clerk: Authorization bypass when combining organization, billing, or reverification checks

Clerk JavaScript is the official JavaScript repository for Clerk authentication. has(), auth.protect(), and related authorization predicates in @clerk/shared, @clerk/nextjs, @clerk/backend, and other framework SDKs can return true for certain combined authorization checks when the result should be false, allowing a gated action to proceed for a user who does not satisfy the full set of requested conditions. This call shape can be bypassed if certain conditions are met: a has() or auth.protect() call that combines a reverification check with any of role, permission, feature, or plan, or that combines a billing check (feature or plan) with a role or permission check. This vulnerability is fixed in @clerk/clerk-js 5.125.10 and 6.7.5.

Affected Products
Vendor
clerk
Product
javascript
Versions
Affected
  • >= 5.22.0, < 5.125.10
  • >= 6.0.0, < 6.7.5
Vendor
@clerk
Product
shared
Versions
Affected
  • >= 3.0.0, <= 3.47.4
  • >= 4.0.0, <= 4.8.2
Vendor
@clerk
Product
backend
Versions
Affected
  • >= 2.0.0, <= 2.33.2
  • >= 3.0.0, <= 3.2.13
Vendor
@clerk
Product
nextjs
Versions
Affected
  • >= 6.0.0, <= 6.39.2
  • >= 7.0.0, <= 7.2.3
Vendor
@clerk
Product
clerk-react
Versions
Affected
  • >= 5.9.0, <= 5.61.5
Vendor
@clerk
Product
react
Versions
Affected
  • >= 6.0.0, <= 6.4.2
Vendor
@clerk
Product
vue
Versions
Affected
  • >= 1.0.0, <= 1.17.20
  • >= 2.0.0, <= 2.0.15
Vendor
@clerk
Product
astro
Versions
Affected
  • >= 2.0.0, <= 2.17.10
  • >= 3.0.0, <= 3.0.17
Vendor
@clerk
Product
nuxt
Versions
Affected
  • >= 1.0.0, <= 1.13.28
  • >= 2.0.0, <= 2.2.4
Vendor
@clerk
Product
clerk-expo
Versions
Affected
  • >= 2.2.11, <= 2.19.35
Vendor
@clerk
Product
expo
Versions
Affected
  • >= 3.0.0, <= 3.2.1
Vendor
@clerk
Product
react-router
Versions
Affected
  • >= 0.0.1, <= 2.4.12
  • >= 3.0.0, <= 3.1.3
Vendor
@clerk
Product
tanstack-react-start
Versions
Affected
  • >= 0.0.1, <= 0.29.10
  • >= 1.0.0, <= 1.1.3
Vendor
@clerk
Product
chrome-extension
Versions
Affected
  • >= 1.3.5, <= 2.9.14
  • >= 3.0.0, <= 3.1.14
Vendor
@clerk
Product
fastify
Versions
Affected
  • >= 1.0.42, <= 2.6.30
  • >= 3.0.0, <= 3.1.15
Vendor
@clerk
Product
express
Versions
Affected
  • >= 0.1.0, <= 1.7.78
  • >= 2.0.0, <= 2.1.5
Vendor
@clerk
Product
hono
Versions
Affected
  • >= 0.0.2, <= 0.1.15
Problem Types
TypeCWE IDDescription
CWECWE-754CWE-754: Improper Check for Unusual or Exceptional Conditions
CWECWE-863CWE-863: Incorrect Authorization
Type: CWE
CWE ID: CWE-754
Description: CWE-754: Improper Check for Unusual or Exceptional Conditions
Type: CWE
CWE ID: CWE-863
Description: CWE-863: Incorrect Authorization
Metrics
VersionBase scoreBase severityVector
4.07.6HIGH
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
Version: 4.0
Base score: 7.6
Base severity: HIGH
Vector:
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://github.com/clerk/javascript/security/advisories/GHSA-w24r-5266-9c3c
x_refsource_CONFIRM
Hyperlink: https://github.com/clerk/javascript/security/advisories/GHSA-w24r-5266-9c3c
Resource:
x_refsource_CONFIRM
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:security-advisories@github.com
Published At:11 May, 2026 | 17:16
Updated At:11 May, 2026 | 17:16

Clerk JavaScript is the official JavaScript repository for Clerk authentication. has(), auth.protect(), and related authorization predicates in @clerk/shared, @clerk/nextjs, @clerk/backend, and other framework SDKs can return true for certain combined authorization checks when the result should be false, allowing a gated action to proceed for a user who does not satisfy the full set of requested conditions. This call shape can be bypassed if certain conditions are met: a has() or auth.protect() call that combines a reverification check with any of role, permission, feature, or plan, or that combines a billing check (feature or plan) with a role or permission check. This vulnerability is fixed in @clerk/clerk-js 5.125.10 and 6.7.5.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary4.07.6HIGH
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Type: Secondary
Version: 4.0
Base score: 7.6
Base severity: HIGH
Vector:
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CPE Matches
Weaknesses
CWE IDTypeSource
CWE-754Primarysecurity-advisories@github.com
CWE-863Primarysecurity-advisories@github.com
CWE ID: CWE-754
Type: Primary
Source: security-advisories@github.com
CWE ID: CWE-863
Type: Primary
Source: security-advisories@github.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://github.com/clerk/javascript/security/advisories/GHSA-w24r-5266-9c3csecurity-advisories@github.com
N/A
Hyperlink: https://github.com/clerk/javascript/security/advisories/GHSA-w24r-5266-9c3c
Source: security-advisories@github.com
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

3Records found
CVE-2026-41248
Matching Score-6
Assigner-GitHub, Inc.
ShareView Details
Matching Score-6
Assigner-GitHub, Inc.
CVSS Score-9.1||CRITICAL
EPSS-0.11% / 29.09%
||
7 Day CHG~0.00%
Published-24 Apr, 2026 | 21:04
Updated-29 Apr, 2026 | 20:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Official Clerk JavaScript SDKs: Middleware-based route protection bypass

Clerk JavaScript is the official JavaScript repository for Clerk authentication. createRouteMatcher in @clerk/nextjs, @clerk/nuxt, and @clerk/astro can be bypassed by certain crafted requests, allowing them to skip middleware gating and reach downstream handlers. This vulnerability is fixed in @clerk/astro 1.5.7, 2.17.10, and 3.0.15; @clerk/nextjs 5.7.6, 6.39.2, and 7.2.1; @clerk/nuxt 1.13.28 and 2.2.2; and @clerk/shared 2.22.1, 3.47.4, anc 4.8.1

Action-Not Available
Vendor-clerk
Product-nuxtnextjsastroshared
CWE ID-CWE-436
Interpretation Conflict
CWE ID-CWE-863
Incorrect Authorization
CVE-2024-53949
Matching Score-4
Assigner-Apache Software Foundation
ShareView Details
Matching Score-4
Assigner-Apache Software Foundation
CVSS Score-7.6||HIGH
EPSS-0.34% / 56.29%
||
7 Day CHG~0.00%
Published-09 Dec, 2024 | 13:35
Updated-12 Feb, 2025 | 10:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Apache Superset: Lower privilege users are able to create Role when FAB_ADD_SECURITY_API is enabled

Improper Authorization vulnerability in Apache Superset when FAB_ADD_SECURITY_API is enabled (disabled by default). Allows for lower privilege users to use this API.  issue affects Apache Superset: from 2.0.0 before 4.1.0. Users are recommended to upgrade to version 4.1.0, which fixes the issue.

Action-Not Available
Vendor-The Apache Software Foundation
Product-supersetApache Supersetsuperset
CWE ID-CWE-863
Incorrect Authorization
CVE-2026-42431
Matching Score-4
Assigner-VulnCheck
ShareView Details
Matching Score-4
Assigner-VulnCheck
CVSS Score-7.6||HIGH
EPSS-0.03% / 9.15%
||
7 Day CHG~0.00%
Published-28 Apr, 2026 | 18:10
Updated-30 Apr, 2026 | 14:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
OpenClaw < 2026.4.8 - Persistent Profile Mutation via node.invoke(browser.proxy) Bypass

OpenClaw before 2026.4.8 contains a security bypass vulnerability in node.invoke(browser.proxy) that allows mutation of persistent browser profiles. Attackers can exploit this path to circumvent the browser.request persistent profile-mutation guard and modify browser configurations.

Action-Not Available
Vendor-OpenClaw
Product-openclawOpenClaw
CWE ID-CWE-863
Incorrect Authorization
Details not found