CVE-2026-42349 Overview
CVE-2026-42349 is an authorization bypass vulnerability affecting Clerk JavaScript, the official authentication library for Clerk. The flaw exists in the has(), auth.protect(), and related authorization predicate functions across @clerk/shared, @clerk/nextjs, @clerk/backend, and other framework SDKs. These predicates can return true for combined authorization checks when the result should be false. The bypass allows users who do not satisfy the full set of conditions to perform gated actions. The vulnerability maps to [CWE-754: Improper Check for Unusual or Exceptional Conditions].
Critical Impact
Authenticated users can bypass combined authorization checks that mix reverification with role, permission, feature, or plan conditions, gaining access to protected actions without meeting all required policies.
Affected Products
- @clerk/clerk-js versions prior to 5.125.10
- @clerk/clerk-js 6.x versions prior to 6.7.5
- @clerk/shared, @clerk/nextjs, @clerk/backend, and related framework SDKs that rely on the affected predicate logic
Discovery Timeline
- 2026-05-11 - CVE-2026-42349 published to NVD
- 2026-05-14 - Last updated in NVD database
Technical Details for CVE-2026-42349
Vulnerability Analysis
The vulnerability resides in the authorization predicate logic that evaluates compound checks. The has() function and auth.protect() helper accept structured arguments combining multiple authorization conditions. When a caller combines a reverification check with a role, permission, feature, or plan check, or combines a billing check (feature or plan) with a role or permission check, the predicate evaluates the combination incorrectly. The function returns true when one component passes, rather than requiring all components to pass.
Applications using Clerk to gate sensitive actions, such as administrative operations, paid features, or operations requiring step-up authentication, can be invoked by users who satisfy only a subset of the policy. The vulnerability does not require attacker-controlled input beyond an authenticated session.
Root Cause
The root cause is improper handling of compound conditional logic within the authorization predicates. The implementation fails to enforce logical conjunction across all check categories when reverification or billing conditions are combined with role-based or permission-based conditions. This is consistent with [CWE-754], where an exceptional state in the combined evaluation is not handled correctly.
Attack Vector
An authenticated user with low privileges sends a request to an endpoint protected by a compound Clerk authorization check. If the protection logic combines reverification with a role or permission check, or pairs a billing entitlement with a role or permission check, the predicate returns true for the user who only matches one condition. The gated action executes as if the user satisfied every requirement.
Exploitation requires network access to the application and a valid authenticated session. No user interaction is needed beyond normal application use. See the GitHub Security Advisory GHSA-w24r-5266-9c3c for the maintainer's technical description.
Detection Methods for CVE-2026-42349
Indicators of Compromise
- Application audit logs showing successful execution of gated actions by user accounts that lack the required role, permission, plan, or feature entitlement.
- Successful access to endpoints protected by auth.protect() or has() without a recent reverification event in the session log.
- Unexpected billing-gated feature usage by accounts on plans that do not include those features.
Detection Strategies
- Review server-side authorization decisions and correlate them against the user's actual role, permission, plan, feature, and reverification state at request time.
- Inventory all call sites of has() and auth.protect() in the codebase, focusing on calls that combine reverification with role, permission, feature, or plan conditions, or that combine billing checks with role or permission checks.
- Add server-side assertions that independently re-evaluate each authorization condition for sensitive routes.
Monitoring Recommendations
- Log every authorization decision returned by Clerk predicates, including the input conditions and the user's resolved attributes.
- Alert on access to sensitive routes when the user's plan, feature, or reverification status does not match the route's policy.
- Track Clerk SDK package versions across services and flag any deployment still running @clerk/clerk-js below 5.125.10 or 6.7.5.
How to Mitigate CVE-2026-42349
Immediate Actions Required
- Upgrade @clerk/clerk-js to 5.125.10 on the 5.x branch or 6.7.5 on the 6.x branch, and update transitive Clerk SDK packages to versions that consume the fixed core.
- Audit application code for compound has() and auth.protect() calls that mix reverification with role, permission, feature, or plan, or that mix billing checks with role or permission checks.
- Temporarily split compound checks into sequential individual checks until patched versions are deployed across all services.
Patch Information
The Clerk maintainers fixed the vulnerability in @clerk/clerk-js5.125.10 and 6.7.5. Patch details and the full advisory are available in the Clerk GitHub Security Advisory.
Workarounds
- Replace single compound predicate calls with multiple sequential calls, evaluating each condition independently and requiring all to return true before proceeding.
- Implement a defense-in-depth authorization layer on the server that revalidates role, permission, plan, feature, and reverification state outside of the Clerk predicate.
- Restrict access to high-impact endpoints to explicitly enumerated roles or permissions until upgrade is complete.
# Update Clerk SDK to a fixed version
npm install @clerk/clerk-js@^5.125.10
# or, for the 6.x branch
npm install @clerk/clerk-js@^6.7.5
# Verify installed version
npm ls @clerk/clerk-js
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
