117 matches found
CVE-2026-42349
Clerk JavaScript is the official JavaScript repository for Clerk authentication. has, auth.protect, and related authorization predicates in @clerk/shared, @clerk/nextjs, @clerk/backend, and other framework SDKs can return true for certain combined authorization checks when the result should be...
CVE-2026-42349
Clerk JavaScript is the official JavaScript repository for Clerk authentication. has, auth.protect, and related authorization predicates in @clerk/shared, @clerk/nextjs, @clerk/backend, and other framework SDKs can return true for certain combined authorization checks when the result should be...
CVE-2026-42349
Clerk JavaScript is the official JavaScript repository for Clerk authentication. has, auth.protect, and related authorization predicates in @clerk/shared, @clerk/nextjs, @clerk/backend, and other framework SDKs can return true for certain combined authorization checks when the result should be...
CVE-2026-42349 Clerk: Authorization bypass when combining organization, billing, or reverification checks
Clerk JavaScript is the official JavaScript repository for Clerk authentication. has, auth.protect, and related authorization predicates in @clerk/shared, @clerk/nextjs, @clerk/backend, and other framework SDKs can return true for certain combined authorization checks when the result should be...
CVE-2026-42349
CVE-2026-42349 - Clerk authorization bypass : Cler k JS ecosystem components (@clerk/shared, @clerk/nextjs, @clerk/backend, and related SDKs) can incorrectly return true for combined authorization checks in has()/auth.protect(), allowing a gated action to proceed when a user does not satisfy all ...
CVE-2026-42349 Clerk: Authorization bypass when combining organization, billing, or reverification checks
Clerk JavaScript is the official JavaScript repository for Clerk authentication. has, auth.protect, and related authorization predicates in @clerk/shared, @clerk/nextjs, @clerk/backend, and other framework SDKs can return true for certain combined authorization checks when the result should be...
Official Clerk JavaScript SDKs ไปฃ็ ้ฎ้ขๆผๆด
The Official Clerk JavaScript SDKs are an open-source repository for Clerk authentication purposes. These SDKs have code vulnerabilities that can lead to false positives during authorization checks. This occurs when functions like has and auth.protect, along with related authorization predicates,...
@clerk/chrome-extension (>=3.0.0 <=3.1.25-canary.v20260508190534), @clerk/expo (>=3.0.0 <=3.2.11-canary.v20260508190534) +3 more potentially affected by CVE-2026-42349 via @clerk/clerk-js (>=6.0.1-canary.v20260303211310 <=6.7.5-snapshot.v20260421194054)
@clerk/clerk-js NPM version =6.0.1-canary.v20260303211310, =3.0.0, =3.0.0, =0.2.13, =0.2.0, =0.8.3 - tauri-plugin-clerk =0.1.1 Source cves: CVE-2026-42349 Source advisory: OSV:GHSA-W24R-5266-9C3C...
@maslowai/roster (=3.14.0), drafted (>=1.1.3 <=1.7.17) potentially affected by CVE-2026-42349 via @clerk/express (>=2.0.8 <=2.1.15)
@clerk/express NPM version =2.0.8, =1.1.3, =1.7.17 Source cves: CVE-2026-42349 Source advisory: OSV:GHSA-W24R-5266-9C3C...
@bentwnghk/chat (>=1.91.2 <=1.91.6), @lobehub/chat (>=1.49.5 <=1.49.12) +2 more potentially affected by CVE-2026-42349 via @clerk/nextjs (>=6.10.2 <=6.28.1)
@clerk/nextjs NPM version =6.10.2, =1.91.2, =1.49.5, =0.0.2, =0.17.1, =0.17.3-centauri.0 Source cves: CVE-2026-42349 Source advisory: SNYK:JS-CLERKNEXTJS-16347747...
@clerk/chrome-extension (>=3.0.0 <=3.1.25-canary.v20260508190534), @clerk/expo (>=3.0.0 <=3.2.11-canary.v20260508190534) +3 more potentially affected by CVE-2026-42349 via @clerk/clerk-js (>=6.0.1-canary.v20260303211310 <=6.7.5-snapshot.v20260421194054)
@clerk/clerk-js NPM version =6.0.1-canary.v20260303211310, =3.0.0, =3.0.0, =0.2.13, =0.2.0, =0.8.3 - tauri-plugin-clerk =0.1.1 Source cves: CVE-2026-42349 Source advisory: SNYK:JS-CLERKCLERKJS-16347748...
@unhook/cli (>=0.9.3 <=0.15.0) potentially affected by CVE-2026-42349 via @clerk/backend (>=2.0.0 <=2.29.3)
@clerk/backend NPM version =2.0.0, =0.9.3, =0.15.0 Source cves: CVE-2026-42349 Source advisory: OSV:GHSA-W24R-5266-9C3C...
Incorrect Authorization
Overview @clerk/clerk-js is a Clerk JS library Affected versions of this package are vulnerable to Incorrect Authorization through the createProtect and createCheckAuthorization functions. An attacker can gain access to protected pages or handlers by supplying a single auth.protect or has call th...
@clerk/agent-toolkit (>=0.2.5-canary-core3.v20251124105058 <=0.3.16-snapshot.v20260416221307), @clerk/astro (>=3.0.0 <=3.2.3-canary.v20260508190534) +69 more potentially affected by CVE-2026-42349 via @clerk/shared (>=4.0.0 <=4.8.3-snapshot.v20260421194054)
@clerk/shared NPM version =4.0.0, =0.2.5-canary-core3.v20251124105058, =3.0.0, =3.0.0, =3.0.0, =5.68.0-snapshot.v20250528192432, =3.0.0, =1.0.0, =2.0.0, =2.6.5-canary-core3.v20251124105058, =0.0.2, =4.0.0, =7.0.0, =2.0.0, =6.0.0, =2.2.5-canary-core3.v20251124105058, =3.2.4-canary.v20260508190534...
Incorrect Authorization
Overview @clerk/nextjs is a Clerk SDK for NextJS Affected versions of this package are vulnerable to Incorrect Authorization through the createProtect and createCheckAuthorization functions. An attacker can gain access to protected pages or handlers by supplying a single auth.protect or has call...
@unhook/cli (>=0.8.0 <=0.15.0) potentially affected by CVE-2026-42349 via @clerk/express (>=1.5.0 <=1.7.63)
@clerk/express NPM version =1.5.0, =0.8.0, =0.15.0 Source cves: CVE-2026-42349 Source advisory: OSV:GHSA-W24R-5266-9C3C...
@clerk/nuxt (>=2.0.1-canary.v20260303211310 <=2.2.5-snapshot.v20260421194054) potentially affected by CVE-2026-42349 via @clerk/vue (>=2.0.1-canary.v20260303211310 <=2.0.16-snapshot.v20260421194054)
@clerk/vue NPM version =2.0.1-canary.v20260303211310, =2.0.1-canary.v20260303211310, =2.2.5-snapshot.v20260421194054 Source cves: CVE-2026-42349 Source advisory: OSV:GHSA-W24R-5266-9C3C...
Incorrect Authorization
Overview @clerk/shared is an Internal package utils used by the Clerk SDKs Affected versions of this package are vulnerable to Incorrect Authorization through the createProtect and createCheckAuthorization functions. An attacker can gain access to protected pages or handlers by supplying a single...
@bentwnghk/chat (>=1.91.2 <=1.91.6), @lobehub/chat (>=1.49.5 <=1.49.12) +2 more potentially affected by CVE-2026-42349 via @clerk/nextjs (>=6.10.2 <=6.28.1)
@clerk/nextjs NPM version =6.10.2, =1.91.2, =1.49.5, =0.0.2, =0.17.1, =0.17.3-centauri.0 Source cves: CVE-2026-42349 Source advisory: OSV:GHSA-W24R-5266-9C3C...
@aurora-nexus/aurora-nexus-design-system (=0.2.0), @fireproof/core-protocols-dashboard (>=0.24.3-dev-20261224 <=0.24.12) +6 more potentially affected by CVE-2026-42349 via @clerk/shared (>=3.36.0 <=3.45.1)
@clerk/shared NPM version =3.36.0, =0.24.3-dev-20261224, =0.24.3-dev-20261224, =0.24.3-dev-20261224, =0.0.14, =0.18.25-dev, =0.24.3-dev-20261224, =0.18.25-dev, =0.18.28-dev Source cves: CVE-2026-42349 Source advisory: SNYK:JS-CLERKSHARED-16347746...