Clerk JavaScript is the official JavaScript repository for Clerk authentication. createRouteMatcher in @clerk/nextjs, @clerk/nuxt, and @clerk/astro can be bypassed by certain crafted requests, allowing them to skip middleware gating and reach downstream handlers. This vulnerability is fixed in @clerk/astro 1.5.7, 2.17.10, and 3.0.15; @clerk/nextjs 5.7.6, 6.39.2, and 7.2.1; @clerk/nuxt 1.13.28 and 2.2.2; and @clerk/shared 2.22.1, 3.47.4, anc 4.8.1
{
"unresolved_ranges": [
{
"source": "AFFECTED_FIELD",
"extracted_events": [
{
"introduced": "5.0.0"
},
{
"fixed": "5.7.6"
},
{
"introduced": "2.20.17"
},
{
"fixed": "2.22.1"
}
]
}
],
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/41xxx/CVE-2026-41248.json",
"cna_assigner": "GitHub_M",
"cwe_ids": [
"CWE-436",
"CWE-863"
]
}{
"source": "AFFECTED_FIELD",
"extracted_events": [
{
"introduced": "0.0.1"
},
{
"fixed": "1.5.7"
},
{
"introduced": "2.0.0-snapshot.v20241206174604"
},
{
"last_affected": "2.17.9"
},
{
"introduced": "6.0.0-snapshot.vb87a27f"
},
{
"fixed": "6.39.2"
},
{
"introduced": "3.0.0-canary.v20250225091530"
},
{
"fixed": "3.47.4"
},
{
"introduced": "3.0.0"
},
{
"fixed": "3.0.15"
},
{
"introduced": "7.0.0"
},
{
"fixed": "7.2.1"
},
{
"introduced": "2.0.0"
},
{
"fixed": "2.2.2"
},
{
"introduced": "1.1.0"
},
{
"fixed": "1.13.28"
},
{
"introduced": "4.0.0"
},
{
"fixed": "4.8.1"
}
]
}