118 matches found
Malicious code in @mastra/auth-clerk (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector d80aa3e2beb7b80c5c0ab6155ebf33290b48d7e23a97f7dc5e2f7bc288d5e84f The package was found to contain malicious code or consuming dependency that contains malicious code Source: ghsa-malware...
MAL-2026-5385 Malicious code in @0xlr/clerk-auth (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 2ff421a5ccb412fd8455e89a1b9875b427ed34af12fa4b188ed4418cd8f52a74 On npm install, postinstall.js enumerates the entire process environment Object.keysprocess.env.sort.forEach along with hostname, username, home...
CVE-2026-42349
Clerk JavaScript is the official JavaScript repository for Clerk authentication. has, auth.protect, and related authorization predicates in @clerk/shared, @clerk/nextjs, @clerk/backend, and other framework SDKs can return true for certain combined authorization checks when the result should be...
CVE-2026-42349
Clerk JavaScript is the official JavaScript repository for Clerk authentication. has, auth.protect, and related authorization predicates in @clerk/shared, @clerk/nextjs, @clerk/backend, and other framework SDKs can return true for certain combined authorization checks when the result should be...
CVE-2026-42349 Clerk: Authorization bypass when combining organization, billing, or reverification checks
Clerk JavaScript is the official JavaScript repository for Clerk authentication. has, auth.protect, and related authorization predicates in @clerk/shared, @clerk/nextjs, @clerk/backend, and other framework SDKs can return true for certain combined authorization checks when the result should be...
CVE-2026-42349
Clerk JavaScript is the official JavaScript repository for Clerk authentication. has, auth.protect, and related authorization predicates in @clerk/shared, @clerk/nextjs, @clerk/backend, and other framework SDKs can return true for certain combined authorization checks when the result should be...
CVE-2026-42349 Clerk: Authorization bypass when combining organization, billing, or reverification checks
Clerk JavaScript is the official JavaScript repository for Clerk authentication. has, auth.protect, and related authorization predicates in @clerk/shared, @clerk/nextjs, @clerk/backend, and other framework SDKs can return true for certain combined authorization checks when the result should be...
CVE-2026-42349 Clerk: Authorization bypass when combining organization, billing, or reverification checks
Clerk JavaScript is the official JavaScript repository for Clerk authentication. has, auth.protect, and related authorization predicates in @clerk/shared, @clerk/nextjs, @clerk/backend, and other framework SDKs can return true for certain combined authorization checks when the result should be...
CVE-2026-42349
CVE-2026-42349 - Clerk authorization bypass : Cler k JS ecosystem components (@clerk/shared, @clerk/nextjs, @clerk/backend, and related SDKs) can incorrectly return true for combined authorization checks in has()/auth.protect(), allowing a gated action to proceed when a user does not satisfy all ...
Official Clerk JavaScript SDKs ไปฃ็ ้ฎ้ขๆผๆด
The Official Clerk JavaScript SDKs are an open-source repository for Clerk authentication purposes. These SDKs have code vulnerabilities that can lead to false positives during authorization checks. This occurs when functions like has and auth.protect, along with related authorization predicates,...
@clerk/chrome-extension (>=3.0.0 <=3.1.35-canary.v20260611003803), @clerk/expo (>=3.0.0 <=3.4.2-canary.v20260611003803) +3 more potentially affected by CVE-2026-42349 via @clerk/clerk-js (>=6.0.1-canary.v20260303211310 <=6.7.5-snapshot.v20260421194054)
@clerk/clerk-js NPM version =6.0.1-canary.v20260303211310, =3.0.0, =3.0.0, =0.2.13, =0.2.0, =0.8.3 - tauri-plugin-clerk =0.1.1 Source cves: CVE-2026-42349 Source advisory: OSV:GHSA-W24R-5266-9C3C...
@clerk/agent-toolkit (>=0.3.1-canary.v20260303211310 <=0.3.16-snapshot.v20260416221307), @clerk/astro (>=3.0.1-canary.v20260303211310 <=3.0.18-snapshot.v20260421194054) +9 more potentially affected by CVE-2026-42349 via @clerk/backend (>=3.0.0 <=3.2.14-snapshot.v20260421194054)
@clerk/backend NPM version =3.0.0, =0.3.1-canary.v20260303211310, =3.0.1-canary.v20260303211310, =2.0.1-canary.v20260303211310, =3.0.1-canary.v20260303211310, =0.0.3-canary.v20260303211310, =7.0.1-canary.v20260303211310, =2.0.1-canary.v20260303211310, =3.0.1-canary.v20260303211310,...
@builder-builder/builder (>=0.0.7 <=0.0.27), @carrierllc/mcp (>=0.2.0 <=0.2.17) +78 more potentially affected by CVE-2026-42349 via @clerk/shared (>=4.0.0 <=4.8.3-snapshot.v20260421194054)
@clerk/shared NPM version =4.0.0, =0.0.7, =0.2.0, =0.2.5-canary-core3.v20251124105058, =3.0.0, =3.0.0, =3.0.0, =5.68.0-snapshot.v20250528192432, =3.0.0, =1.0.0, =2.0.0, =2.6.5-canary-core3.v20251124105058, =0.0.2, =4.0.0, =7.0.0, =2.0.0, =2.6.2-canary.v20260611003803 and more Source cves:...
@aurora-nexus/aurora-nexus-design-system (=0.2.0), @fireproof/core-protocols-dashboard (>=0.24.3-dev-20261224 <=0.24.12) +6 more potentially affected by CVE-2026-42349 via @clerk/shared (>=3.36.0 <=3.45.1)
@clerk/shared NPM version =3.36.0, =0.24.3-dev-20261224, =0.24.3-dev-20261224, =0.24.3-dev-20261224, =0.0.14, =0.18.25-dev, =0.24.3-dev-20261224, =0.18.25-dev, =0.18.28-dev Source cves: CVE-2026-42349 Source advisory: OSV:GHSA-W24R-5266-9C3C...
@bentwnghk/chat (>=1.91.2 <=1.91.6), @lobehub/chat (>=1.49.5 <=1.49.12) +2 more potentially affected by CVE-2026-42349 via @clerk/nextjs (>=6.10.2 <=6.28.1)
@clerk/nextjs NPM version =6.10.2, =1.91.2, =1.49.5, =0.0.2, =0.17.1, =0.17.3-centauri.0 Source cves: CVE-2026-42349 Source advisory: OSV:GHSA-W24R-5266-9C3C...
@clerk/chrome-extension (>=3.0.1-canary.v20260303211310 <=3.1.15-snapshot.v20260421194054), @clerk/expo (>=3.0.1-canary.v20260303211310 <=3.2.2-snapshot.v20260421194054) +7 more potentially affected by CVE-2026-42349 via @clerk/react (>=6.0.1-canary.v20260303211310 <=6.4.3-snapshot.v20260421194054)
@clerk/react NPM version =6.0.1-canary.v20260303211310, =3.0.1-canary.v20260303211310, =3.0.1-canary.v20260303211310, =7.0.1-canary.v20260303211310, =3.0.1-canary.v20260303211310, =1.0.1-canary.v20260303211310, =2.0.0, =2.0.0, =0.20.1-dev-push, =0.20.3-dev-push, =0.20.4-dev-push Source cves:...
@clerk/chrome-extension (>=3.0.0 <=3.1.35-canary.v20260611003803), @clerk/expo (>=3.0.0 <=3.4.2-canary.v20260611003803) +3 more potentially affected by CVE-2026-42349 via @clerk/clerk-js (>=6.0.1-canary.v20260303211310 <=6.7.5-snapshot.v20260421194054)
@clerk/clerk-js NPM version =6.0.1-canary.v20260303211310, =3.0.0, =3.0.0, =0.2.13, =0.2.0, =0.8.3 - tauri-plugin-clerk =0.1.1 Source cves: CVE-2026-42349 Source advisory: SNYK:JS-CLERKCLERKJS-16347748...
Incorrect Authorization
Overview @clerk/nextjs is a Clerk SDK for NextJS Affected versions of this package are vulnerable to Incorrect Authorization through the createProtect and createCheckAuthorization functions. An attacker can gain access to protected pages or handlers by supplying a single auth.protect or has call...
Incorrect Authorization
Overview @clerk/clerk-js is a Clerk JS library Affected versions of this package are vulnerable to Incorrect Authorization through the createProtect and createCheckAuthorization functions. An attacker can gain access to protected pages or handlers by supplying a single auth.protect or has call th...
@unhook/cli (>=0.8.0 <=0.15.0) potentially affected by CVE-2026-42349 via @clerk/express (>=1.5.0 <=1.7.63)
@clerk/express NPM version =1.5.0, =0.8.0, =0.15.0 Source cves: CVE-2026-42349 Source advisory: OSV:GHSA-W24R-5266-9C3C...