Description
Clerk JavaScript is the official JavaScript repository for Clerk authentication. has(), auth.protect(), and related authorization predicates in @clerk/shared, @clerk/nextjs, @clerk/backend, and other framework SDKs can return true for certain combined authorization checks when the result should be false, allowing a gated action to proceed for a user who does not satisfy the full set of requested conditions. This call shape can be bypassed if certain conditions are met: a has() or auth.protect() call that combines a reverification check with any of role, permission, feature, or plan, or that combines a billing check (feature or plan) with a role or permission check. This vulnerability is fixed in @clerk/clerk-js 5.125.10 and 6.7.5.
Published: 2026-05-11
Score: 7.6 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Clerk JavaScript library contains a flaw where the has() or auth.protect() predicates can incorrectly return true when certain combined checks are performed, such as a rev‑verification check combined with a role, permission, feature, or plan check, or a billing check combined with a role or permission check. This behavior allows a gated action to proceed for a user who does not satisfy all required conditions, effectively bypassing authorization and enabling privilege escalation or unauthorized access to protected resources.

Affected Systems

The vulnerability applies to a wide range of Clerk SDKs, including @clerk/shared, @clerk/nextjs, @clerk/backend, @clerk/expo, @clerk/express, @clerk/fastify, @clerk/hono, @clerk/nuxt, @clerk/react, @clerk/react‑router, @clerk/tanstack‑react‑start, @clerk/vue, and the core clerk:javascript package. All installations prior to the fixed releases of 5.125.10 (for the JavaScript SDK) or 6.7.5 (for the community SDK) are potentially vulnerable. No specific pre‑fix versions are listed, so any version older than the stated fixes should be assumed at risk.

Risk and Exploitability

The severity is high, with a CVSS score of 7.6, and the vulnerability is not recorded in the CISA KEV list. Exploitation requires only that the vulnerable code be executed in the application, usually through normal application flow. An attacker who can supply or influence the arguments to has() or auth.protect() can construct a combined predicate that the library mistakenly evaluates to true. The vulnerability poses a significant risk to any application using these combined checks, but no external network exploitation is required, which limits the attack surface to the application deployment itself.

Generated by OpenCVE AI on May 11, 2026 at 17:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade all Clerk packages to at least version 5.125.10 or 6.7.5, ensuring that any instance of @clerk/shared, @clerk/nextjs, @clerk/backend, and related SDKs are updated.
  • Refactor authorization logic so that reverification or billing checks are not combined with role, permission, feature, or plan checks in a single has() or auth.protect() call; instead, perform these checks separately to avoid logical overlap.
  • Conduct thorough authorization testing after the update to confirm that gated actions no longer succeed when a user does not meet all required conditions.

Generated by OpenCVE AI on May 11, 2026 at 17:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-w24r-5266-9c3c Clerk has an authorization bypass when combining organization, billing, or reverification checks
History

Tue, 12 May 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Clerk
Clerk astro
Clerk backend
Clerk chrome-extension
Clerk clerk-expo
Clerk clerk-react
Clerk expo
Clerk express
Clerk fastify
Clerk hono
Clerk javascript
Clerk nextjs
Clerk nuxt
Clerk react
Clerk react-router
Clerk shared
Clerk tanstack-react-start
Clerk vue
Vendors & Products Clerk
Clerk astro
Clerk backend
Clerk chrome-extension
Clerk clerk-expo
Clerk clerk-react
Clerk expo
Clerk express
Clerk fastify
Clerk hono
Clerk javascript
Clerk nextjs
Clerk nuxt
Clerk react
Clerk react-router
Clerk shared
Clerk tanstack-react-start
Clerk vue

Mon, 11 May 2026 16:30:00 +0000

Type Values Removed Values Added
Description Clerk JavaScript is the official JavaScript repository for Clerk authentication. has(), auth.protect(), and related authorization predicates in @clerk/shared, @clerk/nextjs, @clerk/backend, and other framework SDKs can return true for certain combined authorization checks when the result should be false, allowing a gated action to proceed for a user who does not satisfy the full set of requested conditions. This call shape can be bypassed if certain conditions are met: a has() or auth.protect() call that combines a reverification check with any of role, permission, feature, or plan, or that combines a billing check (feature or plan) with a role or permission check. This vulnerability is fixed in @clerk/clerk-js 5.125.10 and 6.7.5.
Title Clerk: Authorization bypass when combining organization, billing, or reverification checks
Weaknesses CWE-754
CWE-863
References
Metrics cvssV4_0

{'score': 7.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Clerk Astro Backend Chrome-extension Clerk-expo Clerk-react Expo Express Fastify Hono Javascript Nextjs Nuxt React React-router Shared Tanstack-react-start Vue
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-11T16:08:27.869Z

Reserved: 2026-04-26T13:26:14.515Z

Link: CVE-2026-42349

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-11T17:16:33.147

Modified: 2026-05-11T17:16:33.147

Link: CVE-2026-42349

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T09:22:55Z

Weaknesses