CVE-2026-42349

Clerk JavaScript is the official JavaScript repository for Clerk authentication. has, auth.protect, and related authorization predicates in @clerk/shared, @clerk/nextjs, @clerk/backend, and other framework SDKs can return true for certain combined authorization checks when the result should be...

CVE-2026-42349 Clerk: Authorization bypass when combining organization, billing, or reverification checks

Clerk JavaScript is the official JavaScript repository for Clerk authentication. has, auth.protect, and related authorization predicates in @clerk/shared, @clerk/nextjs, @clerk/backend, and other framework SDKs can return true for certain combined authorization checks when the result should be...

CVE-2026-42349

CVE-2026-42349 - Clerk authorization bypass : Cler k JS ecosystem components (@clerk/shared, @clerk/nextjs, @clerk/backend, and related SDKs) can incorrectly return true for combined authorization checks in has()/auth.protect(), allowing a gated action to proceed when a user does not satisfy all ...

CVE-2026-42349 Clerk: Authorization bypass when combining organization, billing, or reverification checks

Clerk JavaScript is the official JavaScript repository for Clerk authentication. has, auth.protect, and related authorization predicates in @clerk/shared, @clerk/nextjs, @clerk/backend, and other framework SDKs can return true for certain combined authorization checks when the result should be...

Incorrect Authorization

Overview @clerk/nextjs is a Clerk SDK for NextJS Affected versions of this package are vulnerable to Incorrect Authorization through the createProtect and createCheckAuthorization functions. An attacker can gain access to protected pages or handlers by supplying a single auth.protect or has call...

GHSA-W24R-5266-9C3C Clerk has an authorization bypass when combining organization, billing, or reverification checks

Summary has, auth.protect, and related authorization predicates in @clerk/shared, @clerk/nextjs, @clerk/backend, and other framework SDKs can return true for certain combined authorization checks when the result should be false, allowing a gated action to proceed for a user who does not satisfy t...

Clerk has an authorization bypass when combining organization, billing, or reverification checks

Summary has, auth.protect, and related authorization predicates in @clerk/shared, @clerk/nextjs, @clerk/backend, and other framework SDKs can return true for certain combined authorization checks when the result should be false, allowing a gated action to proceed for a user who does not satisfy t...

PT-2026-36820

Name of the Vulnerable Software and Affected Versions @clerk/clerk-js versions prior to 5.125.10 @clerk/clerk-js versions prior to 6.7.5 @clerk/shared affected versions not specified @clerk/nextjs affected versions not specified @clerk/backend affected versions not specified Description...

EUVD-2026-24735

A flaw was found in Red Hat Quay. When Red Hat Quay requests password re-verification for sensitive operations, such as token generation or robot account creation, the re-authentication prompt can be bypassed. This allows a user with a timed-out session, or an attacker with access to an idle...