Incorrect Authorization

Overview @clerk/nextjs is a Clerk SDK for NextJS Affected versions of this package are vulnerable to Incorrect Authorization through the createProtect and createCheckAuthorization functions. An attacker can gain access to protected pages or handlers by supplying a single auth.protect or has call...

@clerk/agent-toolkit (>=0.3.1-canary.v20260303211310 <=0.3.16-snapshot.v20260416221307), @clerk/astro (>=3.0.1-canary.v20260303211310 <=3.0.18-snapshot.v20260421194054) +9 more potentially affected by CVE-2026-42349 via @clerk/backend (>=3.0.0 <=3.2.14-snapshot.v20260421194054)

@clerk/backend NPM version =3.0.0, =0.3.1-canary.v20260303211310, =3.0.1-canary.v20260303211310, =2.0.1-canary.v20260303211310, =3.0.1-canary.v20260303211310, =0.0.3-canary.v20260303211310, =7.0.1-canary.v20260303211310, =2.0.1-canary.v20260303211310, =3.0.1-canary.v20260303211310,...

@bentwnghk/chat (>=1.91.2 <=1.91.6), @lobehub/chat (>=1.49.5 <=1.49.12) +2 more potentially affected by CVE-2026-42349 via @clerk/nextjs (>=6.10.2 <=6.28.1)

@clerk/nextjs NPM version =6.10.2, =1.91.2, =1.49.5, =0.0.2, =0.17.1, =0.17.3-centauri.0 Source cves: CVE-2026-42349 Source advisory: OSV:GHSA-W24R-5266-9C3C...

PT-2026-36820

Name of the Vulnerable Software and Affected Versions @clerk/clerk-js versions prior to 5.125.10 @clerk/clerk-js versions prior to 6.7.5 @clerk/shared affected versions not specified @clerk/nextjs affected versions not specified @clerk/backend affected versions not specified Description...

CVE-2026-41248

The CVE-2026-41248 affects Clerk JavaScript repositories: createRouteMatcher in @clerk/nextjs, @clerk/nuxt, and @clerk/astro can be bypassed by crafted requests, bypassing middleware gating and reaching downstream handlers. Affected fixes are: @clerk/astro 1.5.7, 2.17.10, 3.0.15; @clerk/nextjs 5....

@bentwnghk/chat (>=1.91.2 <=1.91.6), @lobehub/chat (>=1.49.5 <=1.49.12) +2 more potentially affected by CVE-2026-41248 via @clerk/nextjs (>=6.10.2 <=6.28.1)

@clerk/nextjs NPM version =6.10.2, =1.91.2, =1.49.5, =0.0.2, =0.17.1, =0.17.3-centauri.0 Source cves: CVE-2026-41248 Source advisory: OSV:GHSA-VQX2-FGX2-5WQ9...

@bentwnghk/chat (>=1.45.5 <=1.45.6), @clerk/elements (=0.0.2-snapshot.vc65ad98) +3 more potentially affected by CVE-2026-41248 via @clerk/nextjs (>=5.0.1-snapshot.vc65ad98 <=5.7.5)

@clerk/nextjs NPM version =5.0.1-snapshot.vc65ad98, =1.45.5, =1.2.8, =1.2.9 - @spike-npm-land/code =0.9.55 - spark-strand-login =1.0.1 Source cves: CVE-2026-41248 Source advisory: OSV:GHSA-VQX2-FGX2-5WQ9...

@clerk/agent-toolkit (>=0.3.1-canary.v20260303211310 <=0.3.16-snapshot.v20260416221307), @clerk/astro (>=3.0.1-canary.v20260303211310 <=3.0.19-canary.v20260422163039) +9 more potentially affected by CVE-2026-34076 via @clerk/backend (>=3.0.0 <=3.2.3-snapshot.v20260327200941)

@clerk/backend NPM version =3.0.0, =0.3.1-canary.v20260303211310, =3.0.1-canary.v20260303211310, =2.0.1-canary.v20260303211310, =3.0.1-canary.v20260303211310, =0.0.3-canary.v20260303211310, =7.0.1-canary.v20260303211310, =2.0.1-canary.v20260303211310, =3.0.1-canary.v20260303211310,...

@async-atharv/ipaship (>=1.2.1 <=1.2.2), @bentwnghk/chat (>=1.85.2 <=1.107.2) +96 more potentially affected by CVE-2025-53548 via @clerk/backend (>=2.0.0 <=2.33.5)

@clerk/backend NPM version =2.0.0, =1.2.1, =1.85.2, =0.0.1, =3.0.3, =0.1.0, =2.8.0-snapshot.v20250514155045, =1.5.0-snapshot.v20250514155045, =2.3.0, =6.20.0-snapshot.v20250514155045, =1.7.0, =1.5.0, =4.8.0, =0.16.0, =1.7.0-snapshot.v20250514155045, =1.0.4, =1.0.7 and more Source cves:...