Clerk JavaScript is the official JavaScript repository for Clerk authentication. has(), auth.protect(), and related authorization predicates in @clerk/shared, @clerk/nextjs, @clerk/backend, and other framework SDKs can return true for certain combined authorization checks when the result should be false, allowing a gated action to proceed for a user who does not satisfy the full set of requested conditions. This call shape can be bypassed if certain conditions are met: a has() or auth.protect() call that combines a reverification check with any of role, permission, feature, or plan, or that combines a billing check (feature or plan) with a role or permission check. This vulnerability is fixed in @clerk/clerk-js 5.125.10 and 6.7.5.
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/42xxx/CVE-2026-42349.json",
"cna_assigner": "GitHub_M",
"cwe_ids": [
"CWE-754",
"CWE-863"
],
"unresolved_ranges": [
{
"source": "AFFECTED_FIELD",
"extracted_events": [
{
"introduced": "5.22.0"
},
{
"fixed": "5.125.10"
},
{
"introduced": "6.0.0"
},
{
"fixed": "6.7.5"
}
]
}
]
}{
"cpe": [
"cpe:2.3:a:clerk:clerk\\/backend:*:*:*:*:*:node.js:*:*",
"cpe:2.3:a:clerk:clerk\\/chrome-extension:*:*:*:*:*:node.js:*:*",
"cpe:2.3:a:clerk:clerk\\/expo:*:*:*:*:*:node.js:*:*",
"cpe:2.3:a:clerk:clerk\\/fastify:*:*:*:*:*:node.js:*:*",
"cpe:2.3:a:clerk:clerk\\/react-router:*:*:*:*:*:node.js:*:*",
"cpe:2.3:a:clerk:clerk\\/clerk-expo:*:*:*:*:*:node.js:*:*",
"cpe:2.3:a:clerk:clerk\\/clerk-react:*:*:*:*:*:node.js:*:*",
"cpe:2.3:a:clerk:clerk\\/express:*:*:*:*:*:node.js:*:*",
"cpe:2.3:a:clerk:clerk\\/nuxt:*:*:*:*:*:node.js:*:*",
"cpe:2.3:a:clerk:clerk\\/vue:*:*:*:*:*:node.js:*:*",
"cpe:2.3:a:clerk:clerk\\/hono:*:*:*:*:*:node.js:*:*",
"cpe:2.3:a:clerk:clerk\\/tanstack-react-start:*:*:*:*:*:node.js:*:*",
"cpe:2.3:a:clerk:clerk\\/shared:*:*:*:*:*:node.js:*:*"
],
"extracted_events": [
{
"introduced": "3.0.0"
},
{
"fixed": "3.2.14"
},
{
"fixed": "3.1.15"
},
{
"fixed": "3.2.2"
},
{
"fixed": "3.1.16"
},
{
"fixed": "3.1.4"
},
{
"introduced": "1.3.5"
},
{
"fixed": "2.9.15"
},
{
"introduced": "2.2.11"
},
{
"fixed": "2.19.36"
},
{
"introduced": "5.9.0"
},
{
"fixed": "5.61.6"
},
{
"introduced": "2.0.0"
},
{
"fixed": "2.1.6"
},
{
"fixed": "2.2.5"
},
{
"fixed": "2.0.16"
},
{
"introduced": "0.0.2"
},
{
"fixed": "0.1.16"
},
{
"introduced": "1.0.0"
},
{
"fixed": "1.13.29"
},
{
"fixed": "1.1.4"
},
{
"introduced": "0.0.1"
},
{
"fixed": "2.4.13"
},
{
"introduced": "4.0.0"
},
{
"fixed": "4.8.3"
}
],
"source": "CPE_RANGE"
}