MAL-2026-5385 Malicious code in @0xlr/clerk-auth (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 2ff421a5ccb412fd8455e89a1b9875b427ed34af12fa4b188ed4418cd8f52a74 On npm install, postinstall.js enumerates the entire process environment Object.keysprocess.env.sort.forEach along with hostname, username, home...

CVE-2026-42349

Clerk JavaScript is the official JavaScript repository for Clerk authentication. has, auth.protect, and related authorization predicates in @clerk/shared, @clerk/nextjs, @clerk/backend, and other framework SDKs can return true for certain combined authorization checks when the result should be...

CVE-2026-42349

Clerk JavaScript is the official JavaScript repository for Clerk authentication. has, auth.protect, and related authorization predicates in @clerk/shared, @clerk/nextjs, @clerk/backend, and other framework SDKs can return true for certain combined authorization checks when the result should be...

CVE-2026-42349

Clerk JavaScript is the official JavaScript repository for Clerk authentication. has, auth.protect, and related authorization predicates in @clerk/shared, @clerk/nextjs, @clerk/backend, and other framework SDKs can return true for certain combined authorization checks when the result should be...

CVE-2026-42349 Clerk: Authorization bypass when combining organization, billing, or reverification checks

Clerk JavaScript is the official JavaScript repository for Clerk authentication. has, auth.protect, and related authorization predicates in @clerk/shared, @clerk/nextjs, @clerk/backend, and other framework SDKs can return true for certain combined authorization checks when the result should be...

CVE-2026-42349 Clerk: Authorization bypass when combining organization, billing, or reverification checks

Clerk JavaScript is the official JavaScript repository for Clerk authentication. has, auth.protect, and related authorization predicates in @clerk/shared, @clerk/nextjs, @clerk/backend, and other framework SDKs can return true for certain combined authorization checks when the result should be...

CVE-2026-42349

CVE-2026-42349 - Clerk authorization bypass : Cler k JS ecosystem components (@clerk/shared, @clerk/nextjs, @clerk/backend, and related SDKs) can incorrectly return true for combined authorization checks in has()/auth.protect(), allowing a gated action to proceed when a user does not satisfy all ...

Official Clerk JavaScript SDKs 代码问题漏洞

The Official Clerk JavaScript SDKs are an open-source repository for Clerk authentication purposes. These SDKs have code vulnerabilities that can lead to false positives during authorization checks. This occurs when functions like has and auth.protect, along with related authorization predicates,...

@clerk/agent-toolkit (>=0.3.1-canary.v20260303211310 <=0.3.16-snapshot.v20260416221307), @clerk/astro (>=3.0.1-canary.v20260303211310 <=3.0.18-snapshot.v20260421194054) +9 more potentially affected by CVE-2026-42349 via @clerk/backend (>=3.0.0 <=3.2.14-snapshot.v20260421194054)

@clerk/backend NPM version =3.0.0, =0.3.1-canary.v20260303211310, =3.0.1-canary.v20260303211310, =2.0.1-canary.v20260303211310, =3.0.1-canary.v20260303211310, =0.0.3-canary.v20260303211310, =7.0.1-canary.v20260303211310, =2.0.1-canary.v20260303211310, =3.0.1-canary.v20260303211310,...

@unhook/cli (>=0.9.3 <=0.15.0) potentially affected by CVE-2026-42349 via @clerk/backend (>=2.0.0 <=2.29.3)

@clerk/backend NPM version =2.0.0, =0.9.3, =0.15.0 Source cves: CVE-2026-42349 Source advisory: OSV:GHSA-W24R-5266-9C3C...

@clerk/nuxt (>=2.0.1-canary.v20260303211310 <=2.2.5-snapshot.v20260421194054) potentially affected by CVE-2026-42349 via @clerk/vue (>=2.0.1-canary.v20260303211310 <=2.0.16-snapshot.v20260421194054)

@clerk/vue NPM version =2.0.1-canary.v20260303211310, =2.0.1-canary.v20260303211310, =2.2.5-snapshot.v20260421194054 Source cves: CVE-2026-42349 Source advisory: OSV:GHSA-W24R-5266-9C3C...

@bentwnghk/chat (>=1.91.2 <=1.91.6), @lobehub/chat (>=1.49.5 <=1.49.12) +2 more potentially affected by CVE-2026-42349 via @clerk/nextjs (>=6.10.2 <=6.28.1)

@clerk/nextjs NPM version =6.10.2, =1.91.2, =1.49.5, =0.0.2, =0.17.1, =0.17.3-centauri.0 Source cves: CVE-2026-42349 Source advisory: OSV:GHSA-W24R-5266-9C3C...

@unhook/cli (>=0.8.0 <=0.15.0) potentially affected by CVE-2026-42349 via @clerk/express (>=1.5.0 <=1.7.63)

@clerk/express NPM version =1.5.0, =0.8.0, =0.15.0 Source cves: CVE-2026-42349 Source advisory: OSV:GHSA-W24R-5266-9C3C...

@aurora-nexus/aurora-nexus-design-system (=0.2.0), @fireproof/core-protocols-dashboard (>=0.24.3-dev-20261224 <=0.24.12) +6 more potentially affected by CVE-2026-42349 via @clerk/shared (>=3.36.0 <=3.45.1)

@clerk/shared NPM version =3.36.0, =0.24.3-dev-20261224, =0.24.3-dev-20261224, =0.24.3-dev-20261224, =0.0.14, =0.18.25-dev, =0.24.3-dev-20261224, =0.18.25-dev, =0.18.28-dev Source cves: CVE-2026-42349 Source advisory: SNYK:JS-CLERKSHARED-16347746...

@maslowai/roster (=3.14.0), drafted (>=1.1.3 <=1.7.20) potentially affected by CVE-2026-42349 via @clerk/express (>=2.0.8 <=2.1.22)

@clerk/express NPM version =2.0.8, =1.1.3, =1.7.20 Source cves: CVE-2026-42349 Source advisory: OSV:GHSA-W24R-5266-9C3C...

Incorrect Authorization

Overview @clerk/shared is an Internal package utils used by the Clerk SDKs Affected versions of this package are vulnerable to Incorrect Authorization through the createProtect and createCheckAuthorization functions. An attacker can gain access to protected pages or handlers by supplying a single...

@clerk/chrome-extension (>=3.0.1-canary.v20260303211310 <=3.1.15-snapshot.v20260421194054), @clerk/expo (>=3.0.1-canary.v20260303211310 <=3.2.2-snapshot.v20260421194054) +7 more potentially affected by CVE-2026-42349 via @clerk/react (>=6.0.1-canary.v20260303211310 <=6.4.3-snapshot.v20260421194054)

@clerk/react NPM version =6.0.1-canary.v20260303211310, =3.0.1-canary.v20260303211310, =3.0.1-canary.v20260303211310, =7.0.1-canary.v20260303211310, =3.0.1-canary.v20260303211310, =1.0.1-canary.v20260303211310, =2.0.0, =2.0.0, =0.20.1-dev-push, =0.20.3-dev-push, =0.20.4-dev-push Source cves:...

@clerk/chrome-extension (>=3.0.0 <=3.1.32-canary.v20260529204536), @clerk/expo (>=3.0.0 <=3.3.1-canary.v20260529204536) +3 more potentially affected by CVE-2026-42349 via @clerk/clerk-js (>=6.0.1-canary.v20260303211310 <=6.7.5-snapshot.v20260421194054)

@clerk/clerk-js NPM version =6.0.1-canary.v20260303211310, =3.0.0, =3.0.0, =0.2.13, =0.2.0, =0.8.3 - tauri-plugin-clerk =0.1.1 Source cves: CVE-2026-42349 Source advisory: OSV:GHSA-W24R-5266-9C3C...

@bentwnghk/chat (>=1.91.2 <=1.91.6), @lobehub/chat (>=1.49.5 <=1.49.12) +2 more potentially affected by CVE-2026-42349 via @clerk/nextjs (>=6.10.2 <=6.28.1)

@clerk/nextjs NPM version =6.10.2, =1.91.2, =1.49.5, =0.0.2, =0.17.1, =0.17.3-centauri.0 Source cves: CVE-2026-42349 Source advisory: SNYK:JS-CLERKNEXTJS-16347747...

@builder-builder/builder (>=0.0.7 <=0.0.26), @carrierllc/mcp (>=0.2.0 <=0.2.16) +76 more potentially affected by CVE-2026-42349 via @clerk/shared (>=4.0.0 <=4.8.3-snapshot.v20260421194054)

@clerk/shared NPM version =4.0.0, =0.0.7, =0.2.0, =0.2.5-canary-core3.v20251124105058, =3.0.0, =3.0.0, =3.0.0, =5.68.0-snapshot.v20250528192432, =3.0.0, =1.0.0, =2.0.0, =2.6.5-canary-core3.v20251124105058, =0.0.2, =4.0.0, =7.0.0, =2.0.0, =2.5.3-canary.v20260529204536 and more Source cves:...