CVE-2026-41248

Clerk JavaScript is the official JavaScript repository for Clerk authentication. createRouteMatcher in @clerk/nextjs, @clerk/nuxt, and @clerk/astro can be bypassed by certain crafted requests, allowing them to skip middleware gating and reach downstream handlers. This vulnerability is fixed in...

CVE-2026-41248

Clerk JavaScript is the official JavaScript repository for Clerk authentication. createRouteMatcher in @clerk/nextjs, @clerk/nuxt, and @clerk/astro can be bypassed by certain crafted requests, allowing them to skip middleware gating and reach downstream handlers. This vulnerability is fixed in...

Incorrect Authorization

Overview @clerk/astro is a Clerk SDK for Astro Affected versions of this package are vulnerable to Incorrect Authorization via the createPathMatcher function in @clerk/shared used by downstream createRouteMatcher. An attacker can gain unauthorized access to protected routes by crafting requests...

GHSA-VQX2-FGX2-5WQ9 Official Clerk JavaScript SDKs: Middleware-based route protection bypass

Summary createRouteMatcher in @clerk/nextjs, @clerk/nuxt, and @clerk/astro can be bypassed by certain crafted requests, allowing them to skip middleware gating and reach downstream handlers. Sessions are not compromised and no existing user can be impersonated - the bypass only affects the...

PT-2026-35082

Name of the Vulnerable Software and Affected Versions @clerk/astro versions prior to 1.5.7 @clerk/astro versions prior to 2.17.10 @clerk/astro versions prior to 3.0.15 @clerk/nextjs versions prior to 5.7.6 @clerk/nextjs versions prior to 6.39.2 @clerk/nextjs versions prior to 7.2.1 @clerk/nuxt...