Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools

shared

Source -

CNA

CNA CVEs -

2

ADP CVEs -

0

CISA CVEs -

0

NVD CVEs -

0
Related CVEsRelated VendorsRelated AssignersReports
2Vulnerabilities found
CVE-2026-42349
Assigner-GitHub, Inc.
ShareView Details
Assigner-GitHub, Inc.
CVSS Score-7.6||HIGH
EPSS-Not Assigned
Published-11 May, 2026 | 16:08
Updated-11 May, 2026 | 17:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Clerk: Authorization bypass when combining organization, billing, or reverification checks

Clerk JavaScript is the official JavaScript repository for Clerk authentication. has(), auth.protect(), and related authorization predicates in @clerk/shared, @clerk/nextjs, @clerk/backend, and other framework SDKs can return true for certain combined authorization checks when the result should be false, allowing a gated action to proceed for a user who does not satisfy the full set of requested conditions. This call shape can be bypassed if certain conditions are met: a has() or auth.protect() call that combines a reverification check with any of role, permission, feature, or plan, or that combines a billing check (feature or plan) with a role or permission check. This vulnerability is fixed in @clerk/clerk-js 5.125.10 and 6.7.5.

Action-Not Available
Vendor-@clerkclerk
Product-astrobackendsharedreacthonoclerk-expoclerk-reactnuxtchrome-extensionfastifytanstack-react-startjavascriptexpressreact-routerexpovuenextjs
CWE ID-CWE-754
Improper Check for Unusual or Exceptional Conditions
CWE ID-CWE-863
Incorrect Authorization
CVE-2026-41248
Assigner-GitHub, Inc.
ShareView Details
Assigner-GitHub, Inc.
CVSS Score-9.1||CRITICAL
EPSS-0.11% / 29.09%
||
7 Day CHG~0.00%
Published-24 Apr, 2026 | 21:04
Updated-29 Apr, 2026 | 20:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Official Clerk JavaScript SDKs: Middleware-based route protection bypass

Clerk JavaScript is the official JavaScript repository for Clerk authentication. createRouteMatcher in @clerk/nextjs, @clerk/nuxt, and @clerk/astro can be bypassed by certain crafted requests, allowing them to skip middleware gating and reach downstream handlers. This vulnerability is fixed in @clerk/astro 1.5.7, 2.17.10, and 3.0.15; @clerk/nextjs 5.7.6, 6.39.2, and 7.2.1; @clerk/nuxt 1.13.28 and 2.2.2; and @clerk/shared 2.22.1, 3.47.4, anc 4.8.1

Action-Not Available
Vendor-clerk
Product-nuxtnextjsastroshared
CWE ID-CWE-436
Interpretation Conflict
CWE ID-CWE-863
Incorrect Authorization