CVE-2026-41248 - Vulnerability Details

- Official Clerk JavaScript SDKs: Middleware-based route protection bypass

Description

Clerk JavaScript is the official JavaScript repository for Clerk authentication. createRouteMatcher in @clerk/nextjs, @clerk/nuxt, and @clerk/astro can be bypassed by certain crafted requests, allowing them to skip middleware gating and reach downstream handlers. This vulnerability is fixed in @clerk/astro 1.5.7, 2.17.10, and 3.0.15; @clerk/nextjs 5.7.6, 6.39.2, and 7.2.1; @clerk/nuxt 1.13.28 and 2.2.2; and @clerk/shared 2.22.1, 3.47.4, anc 4.8.1

Published: 2026-04-24

Score: 9.1 Critical

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability resides in Clerk JavaScript SDKs for Astro, Next.js, Nuxt, and shared libraries. A crafted request can bypass the createRouteMatcher function that is intended to enforce middleware gating, allowing the attacker to access protected downstream routes normally. The weakness, classified as CWE-436 and CWE-863, can result in unauthorized access to confidential data or functionality.

Affected Systems

Affected are Clerk packages: @clerk/astro (used in Astro framework), @clerk/nextjs (used in Next.js), @clerk/nuxt (used in Nuxt), and @clerk/shared. The specific vulnerable versions are earlier than 3.0.15 for Astro, 7.2.1 for Next.js, 2.2.2 for Nuxt, and 4.8.1 for shared.

Risk and Exploitability

The CVSS score of 9.1 indicates a critical severity. The EPSS score, although below 1%, reflects a very low exploitation probability at the moment, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is through crafted HTTP requests to bypass protection; prerequisites appear to be only legitimate access to the application’s routing layer. Given the high CVSS and the nature of the breach, the potential impact ranges from data exposure to full unauthorized control over protected resources if exploited.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

clerk

astro

affected

Version	Status	Constraints
`>= 0.0.1, < 1.5.7`	affected	—
`>= 2.0.0-snapshot.v20241206174604, <= 2.17.9`	affected	—
`>= 3.0.0, < 3.0.15`	affected	—

clerk

nextjs

affected

Version	Status	Constraints
`>= 5.0.0, < 5.7.6`	affected	—
`>= 6.0.0-snapshot.vb87a27f, < 6.39.2`	affected	—
`>= 7.0.0, < 7.2.1`	affected	—

clerk

nuxt

affected

Version	Status	Constraints
`>= 1.1.0, < 1.13.28`	affected	—
`>= 2.0.0, < 2.2.2`	affected	—

clerk

shared

affected

Version	Status	Constraints
`>= 2.20.17, < 2.22.1`	affected	—
`>= 3.0.0-canary.v20250225091530, < 3.47.4`	affected	—
`>= 4.0.0, < 4.8.1`	affected	—

No data.

Vendor Product Confidence Versions

Clerk

Astro

100%

Version	Status	Scheme	Platform
`[0.0.1,1.5.7)`	affected	semver	—
`[2.0.0-snapshot.v20241206174604,2.17.9]`	affected	semver	—
`[3.0.0,3.0.15)`	affected	semver	—

Clerk

Nextjs

100%

Version	Status	Scheme	Platform
`[5.0.0,5.7.6)`	affected	semver	—
`[6.0.0-snapshot.vb87a27f,6.39.2)`	affected	semver	—
`[7.0.0,7.2.1)`	affected	semver	—

Clerk

Nuxt

100%

Version	Status	Scheme	Platform
`[1.1.0,1.13.28)`	affected	semver	—
`[2.0.0,2.2.2)`	affected	semver	—

Clerk

Shared

100%

Version	Status	Scheme	Platform
`[2.20.17,2.22.1)`	affected	semver	—
`[3.0.0-canary.v20250225091530,3.47.4)`	affected	semver	—
`[4.0.0,4.8.1)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade @clerk/astro to 1.5.7, 2.17.10, or 3.0.15
Upgrade @clerk/nextjs to 5.7.6, 6.39.2, or 7.2.1
Upgrade @clerk/nuxt to 1.13.28 or 2.2.2
Upgrade @clerk/shared to 2.22.1, 3.47.4, or 4.8.1
Add additional runtime authentication checks in downstream route handlers to act as a safeguard

Generated by OpenCVE AI on April 28, 2026 at 05:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-vqx2-fgx2-5wq9	Official Clerk JavaScript SDKs: Middleware-based route protection bypass

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00112.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://github.com/clerk/javascript/security/advisories/GHSA-vqx2-fgx2-5wq9

History

Mon, 27 Apr 2026 20:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Clerk Clerk astro Clerk nextjs Clerk nuxt Clerk shared
Vendors & Products		Clerk Clerk astro Clerk nextjs Clerk nuxt Clerk shared

Mon, 27 Apr 2026 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Fri, 24 Apr 2026 21:15:00 +0000

Type	Values Removed	Values Added
Description		Clerk JavaScript is the official JavaScript repository for Clerk authentication. createRouteMatcher in @clerk/nextjs, @clerk/nuxt, and @clerk/astro can be bypassed by certain crafted requests, allowing them to skip middleware gating and reach downstream handlers. This vulnerability is fixed in @clerk/astro 1.5.7, 2.17.10, and 3.0.15; @clerk/nextjs 5.7.6, 6.39.2, and 7.2.1; @clerk/nuxt 1.13.28 and 2.2.2; and @clerk/shared 2.22.1, 3.47.4, anc 4.8.1
Title		Official Clerk JavaScript SDKs: Middleware-based route protection bypass
Weaknesses		CWE-436 CWE-863
References		https://github.com/clerk/javascript/security/advisories/GHSA-vqx2-fgx2-5wq9
Metrics		cvssV3_1 `{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}`

Subscriptions

Clerk Astro Nextjs Nuxt Shared

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-04-24T21:04:35.810Z

Updated: 2026-04-27T13:46:28.646Z

Reserved: 2026-04-18T03:47:03.136Z

Link: CVE-2026-41248

Vulnrichment

Updated: 2026-04-27T13:46:23.286Z

NVD

Status : Deferred

Published: 2026-04-24T21:16:18.497

Modified: 2026-04-29T20:56:50.103

Link: CVE-2026-41248

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-28T05:45:23Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object